Talos has added and modified multiple rules in the blacklist, exploit-kit, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules) * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules) * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules) * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules) * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules) * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules) * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules) * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules) * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules) * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)
* 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules) * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules) * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules) * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules) * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules) * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules) * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules) * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules) * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules) * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules) * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules) * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules)
* 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules) * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules) * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules) * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules) * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules) * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules) * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules) * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules) * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules) * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules) * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules) * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules) * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules) * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)
* 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules) * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules) * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules) * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
