Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36819 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36818 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules) * 1:36822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36810 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.Mabouia outbound connection (malware-cnc.rules) * 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (exploit-kit.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules) * 1:36817 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36823 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server buffer overflow attempt (server-other.rules) * 1:36809 <-> ENABLED <-> BLACKLIST DNS request for known malware domain creativecode.com.br - OSX.Trojan.Mabouia (blacklist.rules) * 1:36811 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules)
* 1:16422 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules) * 1:19130 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36802 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit browser version detection attempt (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules) * 1:36817 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36809 <-> ENABLED <-> BLACKLIST DNS request for known malware domain creativecode.com.br - OSX.Trojan.Mabouia (blacklist.rules) * 1:36810 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.Mabouia outbound connection (malware-cnc.rules) * 1:36812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules) * 1:36813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36818 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36819 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36811 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (exploit-kit.rules) * 1:36823 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server buffer overflow attempt (server-other.rules) * 1:36822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules)
* 1:19130 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36802 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit browser version detection attempt (exploit-kit.rules) * 1:16422 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36824 <-> DISABLED <-> EXPLOIT-KIT Known exploit kit obfuscation routine detected (exploit-kit.rules) * 1:36823 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server buffer overflow attempt (server-other.rules) * 1:36822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36819 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:36818 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36817 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules) * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36811 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer nonexistent attribute removal memory corruption attempt (browser-ie.rules) * 1:36810 <-> ENABLED <-> MALWARE-CNC OSX.Trojan.Mabouia outbound connection (malware-cnc.rules) * 1:36809 <-> ENABLED <-> BLACKLIST DNS request for known malware domain creativecode.com.br - OSX.Trojan.Mabouia (blacklist.rules)
* 1:19130 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36802 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit browser version detection attempt (exploit-kit.rules) * 1:16422 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint JPEG with malformed SOFx field integer overflow attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
