Talos has added and modified multiple rules in the file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42238 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42236 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42237 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42234 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS authLogin.cgi command injection attempt (server-webapp.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules) * 1:42223 <-> ENABLED <-> FILE-IDENTIFY AOP file download request (file-identify.rules) * 1:42242 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Dimnie file download attempt (malware-cnc.rules) * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules) * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules) * 1:42224 <-> DISABLED <-> SERVER-OTHER Moxa MX-AOPC XML external entity injection attempt (server-other.rules) * 1:42229 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules) * 1:42230 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules) * 1:42228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DocumentCrypt variant outbound connection (malware-cnc.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42241 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection attempt (malware-cnc.rules) * 1:42222 <-> ENABLED <-> SERVER-WEBAPP Moxa MX Studio login page denial of service attempt (server-webapp.rules) * 1:42226 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:42231 <-> DISABLED <-> FILE-OFFICE RTF url moniker COM file download attempt (file-office.rules) * 1:42240 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42221 <-> ENABLED <-> SERVER-WEBAPP Moxa private key disclosure attempt (server-webapp.rules) * 1:42239 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 3:42246 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42247 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42245 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42244 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
* 1:117 <-> DISABLED <-> MALWARE-BACKDOOR Infector.1.x (malware-backdoor.rules) * 3:35832 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules) * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules) * 3:35833 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules) * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42239 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42237 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42221 <-> ENABLED <-> SERVER-WEBAPP Moxa private key disclosure attempt (server-webapp.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42226 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:42229 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules) * 1:42228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DocumentCrypt variant outbound connection (malware-cnc.rules) * 1:42230 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules) * 1:42231 <-> DISABLED <-> FILE-OFFICE RTF url moniker COM file download attempt (file-office.rules) * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules) * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules) * 1:42234 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS authLogin.cgi command injection attempt (server-webapp.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules) * 1:42224 <-> DISABLED <-> SERVER-OTHER Moxa MX-AOPC XML external entity injection attempt (server-other.rules) * 1:42236 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection attempt (malware-cnc.rules) * 1:42242 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Dimnie file download attempt (malware-cnc.rules) * 1:42241 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42223 <-> ENABLED <-> FILE-IDENTIFY AOP file download request (file-identify.rules) * 1:42222 <-> ENABLED <-> SERVER-WEBAPP Moxa MX Studio login page denial of service attempt (server-webapp.rules) * 1:42240 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42238 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 3:42247 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42245 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42246 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42244 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
* 1:117 <-> DISABLED <-> MALWARE-BACKDOOR Infector.1.x (malware-backdoor.rules) * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules) * 3:35833 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules) * 3:35832 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules) * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection attempt (malware-cnc.rules) * 1:42242 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Dimnie file download attempt (malware-cnc.rules) * 1:42241 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42240 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42239 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules) * 1:42238 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42237 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42236 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules) * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules) * 1:42234 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS authLogin.cgi command injection attempt (server-webapp.rules) * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules) * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules) * 1:42231 <-> DISABLED <-> FILE-OFFICE RTF url moniker COM file download attempt (file-office.rules) * 1:42230 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules) * 1:42229 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules) * 1:42228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DocumentCrypt variant outbound connection (malware-cnc.rules) * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules) * 1:42226 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42224 <-> DISABLED <-> SERVER-OTHER Moxa MX-AOPC XML external entity injection attempt (server-other.rules) * 1:42223 <-> ENABLED <-> FILE-IDENTIFY AOP file download request (file-identify.rules) * 1:42222 <-> ENABLED <-> SERVER-WEBAPP Moxa MX Studio login page denial of service attempt (server-webapp.rules) * 1:42221 <-> ENABLED <-> SERVER-WEBAPP Moxa private key disclosure attempt (server-webapp.rules) * 3:42245 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42247 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42246 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules) * 3:42244 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
* 1:117 <-> DISABLED <-> MALWARE-BACKDOOR Infector.1.x (malware-backdoor.rules) * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules) * 3:35832 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules) * 3:35833 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules) * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
