Talos has added and modified multiple rules in the exploit-kit, file-flash, file-office, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules) * 1:38569 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38570 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38571 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:38574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant outbound connection (malware-cnc.rules) * 1:38573 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant handshake beacon (malware-cnc.rules) * 1:38572 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38568 <-> DISABLED <-> SERVER-OTHER Smart Software Solutions Codesys Gateway Server projectName heap buffer overflow attempt (server-other.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules) * 1:38552 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38553 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38554 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38555 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection attempt (malware-cnc.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules) * 1:38567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coverton variant outbound connection (malware-cnc.rules)
* 1:24729 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24730 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24731 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24732 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24733 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24734 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:24735 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24736 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:27708 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection (malware-cnc.rules) * 1:34930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt (malware-other.rules) * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38100 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules) * 1:38101 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules) * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules) * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules) * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:38574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant outbound connection (malware-cnc.rules) * 1:38573 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant handshake beacon (malware-cnc.rules) * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules) * 1:38569 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38570 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38571 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38572 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38552 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38553 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38554 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38555 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection attempt (malware-cnc.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules) * 1:38568 <-> DISABLED <-> SERVER-OTHER Smart Software Solutions Codesys Gateway Server projectName heap buffer overflow attempt (server-other.rules) * 1:38567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coverton variant outbound connection (malware-cnc.rules)
* 1:24729 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24730 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24731 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24732 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24733 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24734 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24735 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24736 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:27708 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection (malware-cnc.rules) * 1:34930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt (malware-other.rules) * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38100 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules) * 1:38101 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules) * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules) * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules) * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules) * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:38574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant outbound connection (malware-cnc.rules) * 1:38573 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant handshake beacon (malware-cnc.rules) * 1:38572 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38571 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38570 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38569 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules) * 1:38568 <-> DISABLED <-> SERVER-OTHER Smart Software Solutions Codesys Gateway Server projectName heap buffer overflow attempt (server-other.rules) * 1:38567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coverton variant outbound connection (malware-cnc.rules) * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules) * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules) * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules) * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules) * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules) * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules) * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection attempt (malware-cnc.rules) * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38555 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38554 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38553 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:38552 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
* 1:24729 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24730 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24731 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24732 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24733 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24734 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24735 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:24736 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules) * 1:27708 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection (malware-cnc.rules) * 1:34930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt (malware-other.rules) * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules) * 1:38100 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules) * 1:38101 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules) * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules) * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules) * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules) * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules) * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
