Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, exploit-kit, file-flash, indicator-obfuscation, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38377 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38376 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules) * 1:38380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules) * 1:38379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules) * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules) * 1:38373 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38374 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38372 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38382 <-> DISABLED <-> BROWSER-OTHER ICY HTTP version evasion attempt (browser-other.rules) * 1:38371 <-> DISABLED <-> SERVER-WEBAPP Bharat Mediratta Gallery PHP file inclusion attempt (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules) * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules) * 1:38366 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jqtnohzbck5k.com - Bedep (blacklist.rules) * 1:38367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep.variant CNC server response (malware-cnc.rules) * 1:38365 <-> DISABLED <-> SERVER-OTHER TCPDUMP ISAKMP payload handling denial of service attempt (server-other.rules) * 1:38375 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
* 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header comma prior to encoding type evasion attempt (indicator-obfuscation.rules) * 1:38033 <-> DISABLED <-> POLICY-OTHER SWF containing allowLoadBytesCodeExecution function download detected (policy-other.rules) * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules) * 1:38024 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules) * 1:38025 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules) * 1:38021 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules) * 1:38023 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules) * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules) * 1:38020 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules) * 1:37605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules) * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:37604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules) * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple Content-Encoding headers evasion attempt (indicator-obfuscation.rules) * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38382 <-> DISABLED <-> BROWSER-OTHER ICY HTTP version evasion attempt (browser-other.rules) * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules) * 1:38380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules) * 1:38379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules) * 1:38378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules) * 1:38377 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38376 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38375 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38374 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38373 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38372 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules) * 1:38371 <-> DISABLED <-> SERVER-WEBAPP Bharat Mediratta Gallery PHP file inclusion attempt (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules) * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules) * 1:38367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep.variant CNC server response (malware-cnc.rules) * 1:38366 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jqtnohzbck5k.com - Bedep (blacklist.rules) * 1:38365 <-> DISABLED <-> SERVER-OTHER TCPDUMP ISAKMP payload handling denial of service attempt (server-other.rules)
* 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header comma prior to encoding type evasion attempt (indicator-obfuscation.rules) * 1:38025 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules) * 1:38033 <-> DISABLED <-> POLICY-OTHER SWF containing allowLoadBytesCodeExecution function download detected (policy-other.rules) * 1:38023 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules) * 1:38024 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules) * 1:38020 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules) * 1:38021 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules) * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules) * 1:37605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules) * 1:37604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules) * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple Content-Encoding headers evasion attempt (indicator-obfuscation.rules) * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
