Talos has added and modified multiple rules in the exploit-kit, file-flash, file-office, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41737 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules) * 1:41728 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41729 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41739 <-> DISABLED <-> PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt (protocol-scada.rules) * 1:41730 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41731 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules) * 1:41741 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules) * 1:41736 <-> DISABLED <-> SERVER-OTHER Beck IPC CHIP DoS attempt (server-other.rules) * 1:41740 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules) * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41742 <-> DISABLED <-> POLICY-OTHER external admin access attempt (policy-other.rules) * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules) * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
* 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules) * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules) * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules) * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules) * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules) * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41739 <-> DISABLED <-> PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt (protocol-scada.rules) * 1:41740 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules) * 1:41728 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41731 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41730 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41736 <-> DISABLED <-> SERVER-OTHER Beck IPC CHIP DoS attempt (server-other.rules) * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41737 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules) * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41729 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41742 <-> DISABLED <-> POLICY-OTHER external admin access attempt (policy-other.rules) * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules) * 1:41741 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules) * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules) * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
* 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules) * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules) * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules) * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules) * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules) * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41742 <-> DISABLED <-> POLICY-OTHER external admin access attempt (policy-other.rules) * 1:41741 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules) * 1:41740 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules) * 1:41739 <-> DISABLED <-> PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt (protocol-scada.rules) * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules) * 1:41737 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules) * 1:41736 <-> DISABLED <-> SERVER-OTHER Beck IPC CHIP DoS attempt (server-other.rules) * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules) * 1:41731 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41730 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41729 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 1:41728 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules) * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules) * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
* 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules) * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules) * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules) * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules) * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules) * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules) * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules) * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
