Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, file-identify, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40034 <-> DISABLED <-> EXPLOIT-KIT Exploit kit embedded iframe redirection attempt (exploit-kit.rules) * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules) * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40037 <-> DISABLED <-> PUA-ADWARE Google Chrome Google Contacts extension adware (pua-adware.rules) * 1:40045 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules) * 1:40042 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules) * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules) * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules) * 1:40038 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt (server-webapp.rules) * 1:40044 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules) * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules) * 1:40041 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules) * 1:40043 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom outbound connection (malware-cnc.rules) * 3:40048 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules) * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)
* 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:28883 <-> ENABLED <-> PUA-ADWARE Apponic CIS file retrieval attempt (pua-adware.rules) * 1:6512 <-> DISABLED <-> SERVER-OTHER symantec antivirus realtime virusscan overflow attempt (server-other.rules) * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules) * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:30507 <-> DISABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules) * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:28885 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules) * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:28884 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules) * 1:25780 <-> ENABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules) * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules) * 1:40037 <-> DISABLED <-> PUA-ADWARE Google Chrome Google Contacts extension adware (pua-adware.rules) * 1:40034 <-> DISABLED <-> EXPLOIT-KIT Exploit kit embedded iframe redirection attempt (exploit-kit.rules) * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules) * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40044 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:40042 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules) * 1:40045 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules) * 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules) * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules) * 1:40038 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt (server-webapp.rules) * 1:40041 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules) * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules) * 1:40043 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom outbound connection (malware-cnc.rules) * 3:40048 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules) * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)
* 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules) * 1:28884 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules) * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:28885 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules) * 1:30507 <-> DISABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules) * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:28883 <-> ENABLED <-> PUA-ADWARE Apponic CIS file retrieval attempt (pua-adware.rules) * 1:6512 <-> DISABLED <-> SERVER-OTHER symantec antivirus realtime virusscan overflow attempt (server-other.rules) * 1:25780 <-> ENABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules) * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40047 <-> ENABLED <-> SERVER-WEBAPP Belkin F9K1122 webpage buffer overflow attempt (server-webapp.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:40045 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules) * 1:40044 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection (malware-cnc.rules) * 1:40043 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Fantom outbound connection (malware-cnc.rules) * 1:40042 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules) * 1:40041 <-> DISABLED <-> SERVER-WEBAPP Meinberg LANTIME NTP appliance stack buffer overflow attempt (server-webapp.rules) * 1:40040 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules) * 1:40039 <-> DISABLED <-> SERVER-WEBAPP FreePBX config.php unauthenticated SQL injection attempt (server-webapp.rules) * 1:40038 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize var_hash use-after-free attempt (server-webapp.rules) * 1:40037 <-> DISABLED <-> PUA-ADWARE Google Chrome Google Contacts extension adware (pua-adware.rules) * 1:40036 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules) * 1:40035 <-> ENABLED <-> FILE-IDENTIFY XLSB file magic detected (file-identify.rules) * 1:40034 <-> DISABLED <-> EXPLOIT-KIT Exploit kit embedded iframe redirection attempt (exploit-kit.rules) * 1:40033 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40032 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40031 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 1:40030 <-> DISABLED <-> SERVER-WEBAPP FreePBX Module Administration config.php remotemod command injection attempt (server-webapp.rules) * 3:40048 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules) * 3:40049 <-> ENABLED <-> SERVER-OTHER Cisco IOS PPTP control message response information disclosure detected (server-other.rules)
* 1:39888 <-> DISABLED <-> PUA-ADWARE Dorv Adware variant outbound connection (pua-adware.rules) * 1:25780 <-> ENABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules) * 1:28883 <-> ENABLED <-> PUA-ADWARE Apponic CIS file retrieval attempt (pua-adware.rules) * 1:28884 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules) * 1:28885 <-> ENABLED <-> PUA-ADWARE Apponic encapsulated installer outbound connection (pua-adware.rules) * 1:30507 <-> DISABLED <-> SERVER-OTHER MiniUPnPd ExecuteSoapAction buffer overflow attempt (server-other.rules) * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules) * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:39902 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:6512 <-> DISABLED <-> SERVER-OTHER symantec antivirus realtime virusscan overflow attempt (server-other.rules) * 1:39901 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39900 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules) * 1:39899 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab outbound connection detected (pua-adware.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
