Talos has added and modified multiple rules in the browser-firefox, exploit-kit, file-multimedia, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:34948 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:34947 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules) * 1:34964 <-> DISABLED <-> PUA-ADWARE Win.Adware.Sendori user-agent detection (pua-adware.rules) * 1:34955 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34951 <-> DISABLED <-> SERVER-OTHER PHP DateTimeZone object timezone unserialize type confusion attempt (server-other.rules) * 1:34962 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:34969 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules) * 1:34958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:34952 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34970 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:34946 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules) * 1:34953 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34954 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34961 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34965 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker outbound connection attempt (malware-cnc.rules) * 1:34956 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34960 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules) * 1:34950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prok variant outbound connection (malware-cnc.rules) * 1:34966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection (malware-cnc.rules) * 3:34967 <-> ENABLED <-> SERVER-OTHER Fortinet FSSO stack buffer overflow attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:34971 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules) * 3:34972 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
* 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules) * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules) * 1:29165 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound jar request (exploit-kit.rules) * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29164 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound flash request (exploit-kit.rules) * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules) * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit jar file request (exploit-kit.rules) * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules) * 1:15473 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules) * 1:34334 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:31972 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules) * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules) * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:31966 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:31967 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:31971 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34947 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules) * 1:34946 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules) * 1:34964 <-> DISABLED <-> PUA-ADWARE Win.Adware.Sendori user-agent detection (pua-adware.rules) * 1:34962 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34965 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker outbound connection attempt (malware-cnc.rules) * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules) * 1:34948 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:34950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prok variant outbound connection (malware-cnc.rules) * 1:34951 <-> DISABLED <-> SERVER-OTHER PHP DateTimeZone object timezone unserialize type confusion attempt (server-other.rules) * 1:34961 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34952 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34953 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34954 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34955 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34956 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:34969 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:34970 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:34959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules) * 1:34958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:34960 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection (malware-cnc.rules) * 3:34967 <-> ENABLED <-> SERVER-OTHER Fortinet FSSO stack buffer overflow attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:34971 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules) * 3:34972 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
* 1:31971 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules) * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29164 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound flash request (exploit-kit.rules) * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit jar file request (exploit-kit.rules) * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules) * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules) * 1:15473 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules) * 1:34334 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules) * 1:31972 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules) * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29165 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound jar request (exploit-kit.rules) * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules) * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules) * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:31966 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:31967 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:34970 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:34969 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:34966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection (malware-cnc.rules) * 1:34965 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker outbound connection attempt (malware-cnc.rules) * 1:34964 <-> DISABLED <-> PUA-ADWARE Win.Adware.Sendori user-agent detection (pua-adware.rules) * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules) * 1:34962 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34961 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34960 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules) * 1:34959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules) * 1:34958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:34956 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34955 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34954 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34953 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34952 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules) * 1:34951 <-> DISABLED <-> SERVER-OTHER PHP DateTimeZone object timezone unserialize type confusion attempt (server-other.rules) * 1:34950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prok variant outbound connection (malware-cnc.rules) * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:34948 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:34947 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules) * 1:34946 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules) * 3:34967 <-> ENABLED <-> SERVER-OTHER Fortinet FSSO stack buffer overflow attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:34971 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules) * 3:34972 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
* 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29164 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound flash request (exploit-kit.rules) * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules) * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit jar file request (exploit-kit.rules) * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules) * 1:15473 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules) * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules) * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules) * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29165 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound jar request (exploit-kit.rules) * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules) * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules) * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:31966 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:31967 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:31972 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules) * 1:34334 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:31971 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules) * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
