Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-pdf, malware-cnc, malware-other, os-linux, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39933 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39929 <-> ENABLED <-> MALWARE-OTHER pisloader DNS sinfo command response attempt (malware-other.rules) * 1:39924 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt (server-other.rules) * 1:39928 <-> ENABLED <-> MALWARE-OTHER pisloader DNS open command response attempt (malware-other.rules) * 1:39917 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound communication attempt (malware-cnc.rules) * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound communication attempt (malware-cnc.rules) * 1:39922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:39912 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt (server-webapp.rules) * 1:39915 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39913 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt (server-webapp.rules) * 1:39914 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39925 <-> ENABLED <-> SERVER-WEBAPP WordPress pingback gethostbyname heap buffer overflow attempt (server-webapp.rules) * 1:39926 <-> ENABLED <-> MALWARE-OTHER pisloader DNS drive command response attempt (malware-other.rules) * 1:39927 <-> ENABLED <-> MALWARE-OTHER pisloader DNS list command response attempt (malware-other.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (malware-cnc.rules) * 1:39934 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39932 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39916 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39935 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules)
* 1:32815 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:18487 <-> DISABLED <-> SERVER-OTHER Ingres Database iidbms heap overflow attempt (server-other.rules) * 1:39798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules) * 1:32816 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:28147 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:39560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules) * 1:39799 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39916 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound communication attempt (malware-cnc.rules) * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound communication attempt (malware-cnc.rules) * 1:39914 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39913 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt (server-webapp.rules) * 1:39912 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt (server-webapp.rules) * 1:39922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:39924 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt (server-other.rules) * 1:39925 <-> ENABLED <-> SERVER-WEBAPP WordPress pingback gethostbyname heap buffer overflow attempt (server-webapp.rules) * 1:39926 <-> ENABLED <-> MALWARE-OTHER pisloader DNS drive command response attempt (malware-other.rules) * 1:39927 <-> ENABLED <-> MALWARE-OTHER pisloader DNS list command response attempt (malware-other.rules) * 1:39928 <-> ENABLED <-> MALWARE-OTHER pisloader DNS open command response attempt (malware-other.rules) * 1:39929 <-> ENABLED <-> MALWARE-OTHER pisloader DNS sinfo command response attempt (malware-other.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (malware-cnc.rules) * 1:39932 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39917 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39935 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39934 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39915 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39933 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules)
* 1:28147 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:18487 <-> DISABLED <-> SERVER-OTHER Ingres Database iidbms heap overflow attempt (server-other.rules) * 1:39560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules) * 1:32816 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:32815 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:39561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules) * 1:39798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39799 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39935 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39934 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39933 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39932 <-> DISABLED <-> BROWSER-PLUGINS Iocomp Software ActiveX clsid access attempt (browser-plugins.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (malware-cnc.rules) * 1:39930 <-> ENABLED <-> SERVER-WEBAPP Siemens IP-Camera credential disclosure attempt (server-webapp.rules) * 1:39929 <-> ENABLED <-> MALWARE-OTHER pisloader DNS sinfo command response attempt (malware-other.rules) * 1:39928 <-> ENABLED <-> MALWARE-OTHER pisloader DNS open command response attempt (malware-other.rules) * 1:39927 <-> ENABLED <-> MALWARE-OTHER pisloader DNS list command response attempt (malware-other.rules) * 1:39926 <-> ENABLED <-> MALWARE-OTHER pisloader DNS drive command response attempt (malware-other.rules) * 1:39925 <-> ENABLED <-> SERVER-WEBAPP WordPress pingback gethostbyname heap buffer overflow attempt (server-webapp.rules) * 1:39924 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt (server-other.rules) * 1:39923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound communication attempt (malware-cnc.rules) * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound communication attempt (malware-cnc.rules) * 1:39917 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39916 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39915 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39914 <-> DISABLED <-> BROWSER-PLUGINS KingView clsid access attempt (browser-plugins.rules) * 1:39913 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt (server-webapp.rules) * 1:39912 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_notification.php command injection attempt (server-webapp.rules) * 1:39911 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules)
* 1:18487 <-> DISABLED <-> SERVER-OTHER Ingres Database iidbms heap overflow attempt (server-other.rules) * 1:28147 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:32815 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:32816 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:33220 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt (malware-cnc.rules) * 1:39560 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules) * 1:39561 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 regex sign-extension denial of service attempt (file-flash.rules) * 1:39798 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:39799 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
