Talos has added and modified multiple rules in the file-image, file-multimedia, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt (malware-cnc.rules) * 1:40912 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Flokibot variant download attempt (malware-other.rules) * 1:40913 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Flokibot variant download attempt (malware-other.rules) * 1:40914 <-> ENABLED <-> FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt (file-image.rules) * 1:40915 <-> ENABLED <-> FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt (file-image.rules) * 3:40908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0245 attack attempt (server-other.rules) * 3:40909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0245 attack attempt (server-other.rules)
* 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules) * 1:30532 <-> ENABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules) * 1:17316 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Folder GUID Code Execution attempt (os-windows.rules) * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:32322 <-> DISABLED <-> SERVER-OTHER Generic JPEG stored cross site scripting attempt (server-other.rules) * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:24174 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lataa variant outbound connection (malware-cnc.rules) * 1:23261 <-> ENABLED <-> MALWARE-CNC known command and control traffic - Pushbot (malware-cnc.rules) * 1:32321 <-> DISABLED <-> SERVER-OTHER Generic JPEG stored cross site scripting attempt (server-other.rules) * 1:24175 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lataa variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40915 <-> ENABLED <-> FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt (file-image.rules) * 1:40914 <-> ENABLED <-> FILE-IMAGE ImageMagick LibTIFF invalid SamplesPerPixel buffer overflow attempt (file-image.rules) * 1:40913 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Flokibot variant download attempt (malware-other.rules) * 1:40912 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Flokibot variant download attempt (malware-other.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt (malware-cnc.rules) * 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules) * 3:40908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0245 attack attempt (server-other.rules) * 3:40909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0245 attack attempt (server-other.rules)
* 1:17316 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Folder GUID Code Execution attempt (os-windows.rules) * 1:32322 <-> DISABLED <-> SERVER-OTHER Generic JPEG stored cross site scripting attempt (server-other.rules) * 1:32321 <-> DISABLED <-> SERVER-OTHER Generic JPEG stored cross site scripting attempt (server-other.rules) * 1:31916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:31641 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:31642 <-> ENABLED <-> MALWARE-CNC Win.Tinybanker variant outbound connection (malware-cnc.rules) * 1:24174 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lataa variant outbound connection (malware-cnc.rules) * 1:31442 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Injector variant outbound connection (malware-cnc.rules) * 1:30532 <-> ENABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules) * 1:23261 <-> ENABLED <-> MALWARE-CNC known command and control traffic - Pushbot (malware-cnc.rules) * 1:24175 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Lataa variant outbound connection (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
