Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, os-windows, protocol-ftp, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules) * 1:42381 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules) * 1:42387 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules) * 1:42378 <-> DISABLED <-> SERVER-OTHER Yealink VoIP phone remote code execution attempt (server-other.rules) * 1:42401 <-> DISABLED <-> SERVER-WEBAPP multiple product version scan attempt (server-webapp.rules) * 1:42389 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules) * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound communication (malware-cnc.rules) * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules) * 1:42383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42377 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules) * 1:42392 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42388 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules) * 1:42384 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42402 <-> DISABLED <-> SERVER-WEBAPP multiple product command injection attempt (server-webapp.rules) * 1:42394 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42393 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42397 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules) * 1:42396 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules) * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules) * 1:42380 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42379 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 3:42399 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules) * 3:42400 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)
* 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules) * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro hotfix_upload.cgi command injection attempt (server-webapp.rules) * 1:16151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules) * 1:26694 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Cisco IOS FTP MKD buffer overflow attempt (protocol-ftp.rules) * 1:24910 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt (server-mysql.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42377 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules) * 1:42392 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules) * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules) * 1:42388 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules) * 1:42389 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules) * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules) * 1:42387 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules) * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound communication (malware-cnc.rules) * 1:42384 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42381 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42380 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42393 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42394 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42402 <-> DISABLED <-> SERVER-WEBAPP multiple product command injection attempt (server-webapp.rules) * 1:42397 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules) * 1:42401 <-> DISABLED <-> SERVER-WEBAPP multiple product version scan attempt (server-webapp.rules) * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42379 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42378 <-> DISABLED <-> SERVER-OTHER Yealink VoIP phone remote code execution attempt (server-other.rules) * 1:42396 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules) * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules) * 3:42399 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules) * 3:42400 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)
* 1:26694 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules) * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro hotfix_upload.cgi command injection attempt (server-webapp.rules) * 1:16151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules) * 1:24910 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt (server-mysql.rules) * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Cisco IOS FTP MKD buffer overflow attempt (protocol-ftp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42402 <-> DISABLED <-> SERVER-WEBAPP multiple product command injection attempt (server-webapp.rules) * 1:42401 <-> DISABLED <-> SERVER-WEBAPP multiple product version scan attempt (server-webapp.rules) * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42397 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules) * 1:42396 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules) * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules) * 1:42394 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42393 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42392 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules) * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules) * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules) * 1:42389 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules) * 1:42388 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules) * 1:42387 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules) * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules) * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound communication (malware-cnc.rules) * 1:42384 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules) * 1:42381 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42380 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42379 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules) * 1:42378 <-> DISABLED <-> SERVER-OTHER Yealink VoIP phone remote code execution attempt (server-other.rules) * 1:42377 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules) * 3:42399 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules) * 3:42400 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)
* 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro hotfix_upload.cgi command injection attempt (server-webapp.rules) * 1:16151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Cisco IOS FTP MKD buffer overflow attempt (protocol-ftp.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules) * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules) * 1:26694 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules) * 1:24910 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt (server-mysql.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
