Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules) * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules) * 1:34329 <-> DISABLED <-> MALWARE-CNC Cryptolocker variant inbound connection attempt (malware-cnc.rules) * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules) * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules) * 1:34324 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Siromost variant outbound connection (malware-cnc.rules) * 1:34335 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit gate landing page outbound connection (deleted.rules) * 1:34327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedepshel variant outbound connection attempt (malware-cnc.rules) * 1:34326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules) * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules) * 1:34323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fulairo variant outbound connection (malware-cnc.rules) * 1:34333 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit landing page (deleted.rules) * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:34322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfli outbound communication (malware-cnc.rules)
* 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules) * 1:17132 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object access attempt (browser-ie.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:30960 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request (exploit-kit.rules) * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules) * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34335 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit gate landing page outbound connection (deleted.rules) * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:34333 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit landing page (deleted.rules) * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules) * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules) * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules) * 1:34329 <-> DISABLED <-> MALWARE-CNC Cryptolocker variant inbound connection attempt (malware-cnc.rules) * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules) * 1:34327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedepshel variant outbound connection attempt (malware-cnc.rules) * 1:34326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules) * 1:34325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules) * 1:34324 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Siromost variant outbound connection (malware-cnc.rules) * 1:34323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fulairo variant outbound connection (malware-cnc.rules) * 1:34322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfli outbound communication (malware-cnc.rules)
* 1:17131 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 parent style rendering arbitrary code execution (browser-ie.rules) * 1:17132 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer invalid object access attempt (browser-ie.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:30960 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request (exploit-kit.rules) * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules) * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:34333 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit landing page (deleted.rules) * 1:34332 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download (exploit-kit.rules) * 1:34329 <-> DISABLED <-> MALWARE-CNC Cryptolocker variant inbound connection attempt (malware-cnc.rules) * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules) * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules) * 1:34322 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Farfli outbound communication (malware-cnc.rules) * 1:34323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fulairo variant outbound connection (malware-cnc.rules) * 1:34324 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Siromost variant outbound connection (malware-cnc.rules) * 1:34325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules) * 1:34326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection (malware-cnc.rules) * 1:34327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedepshel variant outbound connection attempt (malware-cnc.rules) * 1:34328 <-> DISABLED <-> SERVER-WEBAPP Wordpress comment field stored XSS attempt (server-webapp.rules) * 1:34335 <-> DISABLED <-> DELETED EXPLOIT-KIT Fiesta exploit kit gate landing page outbound connection (deleted.rules)
* 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:30960 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request (exploit-kit.rules) * 1:33287 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules) * 1:33288 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer same origin policy bypass attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
