Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37531 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37550 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules) * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37545 <-> DISABLED <-> POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt (policy-other.rules) * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37549 <-> DISABLED <-> EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt (exploit-kit.rules) * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37528 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt (exploit-kit.rules) * 1:37529 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit iframe injection attempt (exploit-kit.rules) * 1:37534 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37530 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37546 <-> ENABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager connection attempt (server-other.rules) * 1:37548 <-> ENABLED <-> EXPLOIT-KIT Malicious iFrame redirection injection attempt (exploit-kit.rules) * 1:37547 <-> DISABLED <-> SERVER-WEBAPP eClinicalWorks portalUserService.jsp SQL injection attempt (server-webapp.rules) * 1:37536 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37535 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37551 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules)
* 1:37516 <-> DISABLED <-> MALWARE-CNC MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules) * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules) * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules) * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules) * 1:30963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules) * 1:30961 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37546 <-> ENABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager connection attempt (server-other.rules) * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37536 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37535 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37528 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt (exploit-kit.rules) * 1:37530 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37529 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit iframe injection attempt (exploit-kit.rules) * 1:37531 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37534 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37545 <-> DISABLED <-> POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt (policy-other.rules) * 1:37547 <-> DISABLED <-> SERVER-WEBAPP eClinicalWorks portalUserService.jsp SQL injection attempt (server-webapp.rules) * 1:37532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37551 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules) * 1:37549 <-> DISABLED <-> EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt (exploit-kit.rules) * 1:37550 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules) * 1:37548 <-> ENABLED <-> EXPLOIT-KIT Malicious iFrame redirection injection attempt (exploit-kit.rules)
* 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules) * 1:37516 <-> DISABLED <-> MALWARE-CNC MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules) * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules) * 1:30963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules) * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules) * 1:30961 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37551 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules) * 1:37550 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules) * 1:37549 <-> DISABLED <-> EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt (exploit-kit.rules) * 1:37548 <-> ENABLED <-> EXPLOIT-KIT Malicious iFrame redirection injection attempt (exploit-kit.rules) * 1:37547 <-> DISABLED <-> SERVER-WEBAPP eClinicalWorks portalUserService.jsp SQL injection attempt (server-webapp.rules) * 1:37546 <-> ENABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager connection attempt (server-other.rules) * 1:37545 <-> DISABLED <-> POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt (policy-other.rules) * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules) * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules) * 1:37536 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37535 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37534 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules) * 1:37533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37531 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37530 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules) * 1:37529 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit iframe injection attempt (exploit-kit.rules) * 1:37528 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt (exploit-kit.rules)
* 1:37516 <-> DISABLED <-> MALWARE-CNC MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules) * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules) * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules) * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules) * 1:30961 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules) * 1:30963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
