Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-flash, file-identify, file-image, file-other, indicator-compromise, malware-cnc, netbios, os-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43359 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules) * 1:43364 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected (file-identify.rules) * 1:43363 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected (file-identify.rules) * 1:43362 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules) * 1:43365 <-> DISABLED <-> SERVER-WEBAPP Wordpress Complete Gallery Manager arbitrary PHP file upload attempt (server-webapp.rules) * 1:43366 <-> DISABLED <-> SERVER-WEBAPP Piwigo directory traversal attempt (server-webapp.rules) * 1:43367 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt (browser-firefox.rules) * 1:43368 <-> DISABLED <-> FILE-OTHER Compface xbm long declaration buffer overflow attempt (file-other.rules) * 1:43370 <-> DISABLED <-> NETBIOS DCERPC possible wmi remote process launch (netbios.rules) * 1:43371 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43372 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43369 <-> DISABLED <-> FILE-OTHER Compface xbm long declaration buffer overflow attempt (file-other.rules) * 1:43373 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43374 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43375 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43376 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43377 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43378 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43379 <-> DISABLED <-> SERVER-WEBAPP CA ERwin Web Portal ProfileIconServlet directory traversal attempt (server-webapp.rules) * 1:43380 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng custom apicall instruction use detected (os-windows.rules) * 1:43381 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng custom apicall instruction use detected (os-windows.rules) * 1:43382 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AdvertisingMetadata use after free attempt (file-flash.rules) * 1:43383 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AdvertisingMetadata use after free attempt (file-flash.rules) * 1:43384 <-> DISABLED <-> INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt (indicator-compromise.rules) * 1:43385 <-> DISABLED <-> INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt (indicator-compromise.rules) * 1:43386 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43387 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules) * 1:43390 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe startup config information disclosure attempt (server-webapp.rules) * 1:43389 <-> DISABLED <-> INDICATOR-COMPROMISE Symantec Endpoint Protection potential binary planting RCE attempt (indicator-compromise.rules) * 1:43391 <-> DISABLED <-> SERVER-WEBAPP MySQL Commander remote file include attempt (server-webapp.rules) * 1:43392 <-> DISABLED <-> SERVER-WEBAPP MySQL Commander remote file include attempt (server-webapp.rules) * 1:43393 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MPEG-4 AVC decoding out of bounds read attempt (file-flash.rules) * 1:43394 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MPEG-4 AVC decoding out of bounds read attempt (file-flash.rules) * 1:43395 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader profile use after free attempt (file-flash.rules) * 1:43396 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader profile use after free attempt (file-flash.rules) * 1:43397 <-> DISABLED <-> SERVER-OTHER Proface GP-Pro EX EX-ED BeginPreRead stack buffer overflow attempt (server-other.rules) * 1:43398 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer clone object memory corruption attempt (browser-ie.rules) * 1:43399 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules) * 1:43400 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow ActiveX clsid access attempt (browser-plugins.rules) * 1:43401 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow ActiveX clsid access attempt (browser-plugins.rules) * 1:43402 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt (server-webapp.rules) * 1:43403 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt (server-webapp.rules) * 1:43404 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt (server-webapp.rules) * 1:43405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales out of bounds memory read attempt (file-flash.rules) * 1:43406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales out of bounds memory read attempt (file-flash.rules) * 1:43407 <-> DISABLED <-> POLICY-OTHER MongoDB insert document attempt (policy-other.rules) * 1:43408 <-> DISABLED <-> POLICY-OTHER MongoDB query attempt (policy-other.rules) * 1:43361 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules) * 1:43423 <-> DISABLED <-> DELETED rfhewhf784rh7qrhq87rh2378ry228jpr8q8wjrq98wr8r (deleted.rules) * 1:43422 <-> DISABLED <-> DELETED rfhewhf784rh7qrhq87rh2378ry228jpr8q8wjrq98wr8r (deleted.rules) * 1:43421 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:43420 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:43419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43417 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43360 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules) * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules)
* 1:43191 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway performBackupNow.do command injection attempt (server-webapp.rules) * 1:38836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules) * 1:43184 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsnu variant outbound conection (malware-cnc.rules) * 1:38835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules) * 1:29650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt (browser-ie.rules) * 1:29651 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt (browser-ie.rules) * 1:24465 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected (file-identify.rules) * 1:23174 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt (browser-plugins.rules) * 1:23175 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt (browser-plugins.rules) * 1:25247 <-> DISABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules) * 1:16636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt (os-windows.rules) * 1:16716 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules) * 1:17258 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt (browser-firefox.rules) * 1:17303 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer clone object memory corruption attempt (browser-ie.rules) * 1:19168 <-> DISABLED <-> SERVER-WEBAPP Oracle GoldenGate Veridata Server soap request overflow attempt (server-webapp.rules) * 1:25248 <-> DISABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43423 <-> DISABLED <-> DELETED rfhewhf784rh7qrhq87rh2378ry228jpr8q8wjrq98wr8r (deleted.rules) * 1:43422 <-> DISABLED <-> DELETED rfhewhf784rh7qrhq87rh2378ry228jpr8q8wjrq98wr8r (deleted.rules) * 1:43421 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:43420 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules) * 1:43419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43417 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43416 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData object out of bounds access attempt (file-flash.rules) * 1:43415 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43414 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43413 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43410 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules) * 1:43409 <-> DISABLED <-> POLICY-OTHER MongoDB dropDatabase attempt (policy-other.rules) * 1:43408 <-> DISABLED <-> POLICY-OTHER MongoDB query attempt (policy-other.rules) * 1:43407 <-> DISABLED <-> POLICY-OTHER MongoDB insert document attempt (policy-other.rules) * 1:43406 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales out of bounds memory read attempt (file-flash.rules) * 1:43405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player determinePreferredLocales out of bounds memory read attempt (file-flash.rules) * 1:43404 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt (server-webapp.rules) * 1:43403 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt (server-webapp.rules) * 1:43402 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center directory traversal directory traversal attempt (server-webapp.rules) * 1:43401 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow ActiveX clsid access attempt (browser-plugins.rules) * 1:43400 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow ActiveX clsid access attempt (browser-plugins.rules) * 1:43399 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules) * 1:43398 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer clone object memory corruption attempt (browser-ie.rules) * 1:43397 <-> DISABLED <-> SERVER-OTHER Proface GP-Pro EX EX-ED BeginPreRead stack buffer overflow attempt (server-other.rules) * 1:43396 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader profile use after free attempt (file-flash.rules) * 1:43395 <-> ENABLED <-> FILE-FLASH Adobe Acrobat Reader profile use after free attempt (file-flash.rules) * 1:43394 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MPEG-4 AVC decoding out of bounds read attempt (file-flash.rules) * 1:43393 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MPEG-4 AVC decoding out of bounds read attempt (file-flash.rules) * 1:43392 <-> DISABLED <-> SERVER-WEBAPP MySQL Commander remote file include attempt (server-webapp.rules) * 1:43391 <-> DISABLED <-> SERVER-WEBAPP MySQL Commander remote file include attempt (server-webapp.rules) * 1:43390 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe startup config information disclosure attempt (server-webapp.rules) * 1:43389 <-> DISABLED <-> INDICATOR-COMPROMISE Symantec Endpoint Protection potential binary planting RCE attempt (indicator-compromise.rules) * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules) * 1:43387 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43386 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules) * 1:43385 <-> DISABLED <-> INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt (indicator-compromise.rules) * 1:43384 <-> DISABLED <-> INDICATOR-COMPROMISE Wing FTP Server potentially malicious admin user creation attempt (indicator-compromise.rules) * 1:43383 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AdvertisingMetadata use after free attempt (file-flash.rules) * 1:43382 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AdvertisingMetadata use after free attempt (file-flash.rules) * 1:43381 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng custom apicall instruction use detected (os-windows.rules) * 1:43380 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng custom apicall instruction use detected (os-windows.rules) * 1:43379 <-> DISABLED <-> SERVER-WEBAPP CA ERwin Web Portal ProfileIconServlet directory traversal attempt (server-webapp.rules) * 1:43378 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43377 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43376 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43375 <-> DISABLED <-> BROWSER-PLUGINS EB Design Pty Ltd ActiveX clsid access attempt (browser-plugins.rules) * 1:43374 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43373 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43372 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43371 <-> DISABLED <-> BROWSER-PLUGINS DivX Player DivXBrowserPlugin ActiveX clsid access attempt (browser-plugins.rules) * 1:43370 <-> DISABLED <-> NETBIOS DCERPC possible wmi remote process launch (netbios.rules) * 1:43369 <-> DISABLED <-> FILE-OTHER Compface xbm long declaration buffer overflow attempt (file-other.rules) * 1:43368 <-> DISABLED <-> FILE-OTHER Compface xbm long declaration buffer overflow attempt (file-other.rules) * 1:43367 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt (browser-firefox.rules) * 1:43366 <-> DISABLED <-> SERVER-WEBAPP Piwigo directory traversal attempt (server-webapp.rules) * 1:43365 <-> DISABLED <-> SERVER-WEBAPP Wordpress Complete Gallery Manager arbitrary PHP file upload attempt (server-webapp.rules) * 1:43364 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected (file-identify.rules) * 1:43363 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected (file-identify.rules) * 1:43362 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules) * 1:43361 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules) * 1:43360 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules) * 1:43359 <-> DISABLED <-> FILE-IMAGE Microsoft GDI WMF file parsing integer overflow attempt (file-image.rules)
* 1:16636 <-> DISABLED <-> OS-WINDOWS Microsoft Windows .NET framework XMLDsig data tampering attempt (os-windows.rules) * 1:16716 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules) * 1:17258 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree element code execution attempt (browser-firefox.rules) * 1:17303 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer clone object memory corruption attempt (browser-ie.rules) * 1:19168 <-> DISABLED <-> SERVER-WEBAPP Oracle GoldenGate Veridata Server soap request overflow attempt (server-webapp.rules) * 1:23174 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt (browser-plugins.rules) * 1:23175 <-> DISABLED <-> BROWSER-PLUGINS IBM Lotus Quickr ActiveX stack buffer overflow attempt (browser-plugins.rules) * 1:24465 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file magic detected (file-identify.rules) * 1:25247 <-> DISABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules) * 1:25248 <-> DISABLED <-> FILE-OTHER Lattice PAC Designer symbol value buffer overflow attempt (file-other.rules) * 1:29650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt (browser-ie.rules) * 1:29651 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MoveToMarkupPointer call with CControlTracker OnExitTree use-after-free attempt (browser-ie.rules) * 1:38835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules) * 1:38836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules) * 1:43184 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsnu variant outbound conection (malware-cnc.rules) * 1:43191 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway performBackupNow.do command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
