Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42962 <-> DISABLED <-> SERVER-WEBAPP Java Hibernate Library unauthorized serialized object attempt (server-webapp.rules) * 1:42953 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules) * 1:42951 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer arbitrary JSP file upload attempt (server-webapp.rules) * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules) * 1:42954 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules) * 1:42956 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules) * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules) * 1:42957 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules) * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules) * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules) * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42960 <-> DISABLED <-> SERVER-WEBAPP Java BeanShell Library unauthorized serialized object attempt (server-webapp.rules) * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules) * 1:42963 <-> DISABLED <-> SERVER-WEBAPP Java Mozilla Library unauthorized serialized object attempt (server-webapp.rules) * 1:42964 <-> DISABLED <-> SERVER-WEBAPP Java MyFaces Library unauthorized serialized object attempt (server-webapp.rules) * 1:42965 <-> DISABLED <-> SERVER-WEBAPP Java RMI Library unauthorized serialized object attempt (server-webapp.rules) * 1:42966 <-> DISABLED <-> SERVER-WEBAPP Java URLDNS Library unauthorized serialized object attempt (server-webapp.rules) * 1:42967 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules) * 1:42968 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules) * 1:42969 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules) * 1:42952 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules) * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection attempt (malware-cnc.rules) * 1:42955 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance upload.cgi directory traversal attempt (server-webapp.rules) * 1:42972 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules) * 1:42970 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules) * 1:42971 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
* 1:42044 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules) * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules) * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42045 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules) * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42433 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42434 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42972 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules) * 1:42971 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules) * 1:42970 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules) * 1:42969 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules) * 1:42968 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules) * 1:42967 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules) * 1:42966 <-> DISABLED <-> SERVER-WEBAPP Java URLDNS Library unauthorized serialized object attempt (server-webapp.rules) * 1:42965 <-> DISABLED <-> SERVER-WEBAPP Java RMI Library unauthorized serialized object attempt (server-webapp.rules) * 1:42964 <-> DISABLED <-> SERVER-WEBAPP Java MyFaces Library unauthorized serialized object attempt (server-webapp.rules) * 1:42963 <-> DISABLED <-> SERVER-WEBAPP Java Mozilla Library unauthorized serialized object attempt (server-webapp.rules) * 1:42962 <-> DISABLED <-> SERVER-WEBAPP Java Hibernate Library unauthorized serialized object attempt (server-webapp.rules) * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules) * 1:42960 <-> DISABLED <-> SERVER-WEBAPP Java BeanShell Library unauthorized serialized object attempt (server-webapp.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42957 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules) * 1:42956 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules) * 1:42955 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance upload.cgi directory traversal attempt (server-webapp.rules) * 1:42954 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules) * 1:42953 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules) * 1:42952 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules) * 1:42951 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer arbitrary JSP file upload attempt (server-webapp.rules) * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules) * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules) * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules) * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules) * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules) * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection attempt (malware-cnc.rules)
* 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules) * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules) * 1:42044 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules) * 1:42045 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules) * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 3:42434 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42433 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
