Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-executable, file-identify, file-office, file-other, malware-cnc, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43615 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules) * 1:43612 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:43610 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules) * 1:43611 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules) * 1:43609 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules) * 1:43622 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer GDI VML gradient size heap overflow attempt (browser-ie.rules) * 1:43621 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules) * 1:43620 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules) * 1:43616 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43614 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:43617 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43608 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules) * 1:43624 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt (file-other.rules) * 1:43613 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:43607 <-> DISABLED <-> BROWSER-PLUGINS HP Photo Creative ActiveX clsid access attempt (browser-plugins.rules) * 1:43625 <-> ENABLED <-> SERVER-WEBAPP Axis M3004 remote code execution attempt (server-webapp.rules) * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:43603 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules) * 1:43604 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules) * 1:43626 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules) * 1:43601 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules) * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules) * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:43600 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules) * 1:43627 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (malware-cnc.rules) * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:43632 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules) * 1:43633 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules) * 1:43635 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:43634 <-> DISABLED <-> SERVER-WEBAPP Zenoss call home remote code execution attempt (server-webapp.rules) * 1:43636 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:43637 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server cross site scripting attempt (server-webapp.rules) * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43639 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43623 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt (file-other.rules) * 1:43619 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43644 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt (browser-firefox.rules) * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox css frame constructor memory corruption attempt (browser-firefox.rules) * 1:43641 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43618 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43643 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt (browser-firefox.rules) * 3:43630 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules) * 3:43631 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules) * 3:43628 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules) * 3:43629 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
* 1:16721 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules) * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules) * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules) * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules) * 1:29646 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules) * 1:29168 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:29169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:25658 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules) * 1:2655 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin ExecuteFile admin access (server-other.rules) * 1:2549 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin file write attempt (server-other.rules) * 1:25657 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules) * 1:2547 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin remote file upload attempt (server-other.rules) * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access (server-other.rules) * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules) * 1:23939 <-> DISABLED <-> SERVER-ORACLE Oracle Business Transaction Management FlashTunnelService directory traversal attempt (server-oracle.rules) * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules) * 1:20054 <-> DISABLED <-> SERVER-OTHER HP OpenView Network Node Manager denial of service attempt (server-other.rules) * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:18188 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt (browser-firefox.rules) * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules) * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43644 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt (browser-firefox.rules) * 1:43643 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt (browser-firefox.rules) * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox css frame constructor memory corruption attempt (browser-firefox.rules) * 1:43641 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43639 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules) * 1:43637 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server cross site scripting attempt (server-webapp.rules) * 1:43636 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:43635 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:43634 <-> DISABLED <-> SERVER-WEBAPP Zenoss call home remote code execution attempt (server-webapp.rules) * 1:43633 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules) * 1:43632 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules) * 1:43627 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules) * 1:43626 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules) * 1:43625 <-> ENABLED <-> SERVER-WEBAPP Axis M3004 remote code execution attempt (server-webapp.rules) * 1:43624 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt (file-other.rules) * 1:43623 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt (file-other.rules) * 1:43622 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer GDI VML gradient size heap overflow attempt (browser-ie.rules) * 1:43621 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules) * 1:43620 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules) * 1:43619 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43618 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43617 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43616 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules) * 1:43615 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules) * 1:43614 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:43613 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:43612 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:43611 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules) * 1:43610 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules) * 1:43609 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules) * 1:43608 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules) * 1:43607 <-> DISABLED <-> BROWSER-PLUGINS HP Photo Creative ActiveX clsid access attempt (browser-plugins.rules) * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:43604 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules) * 1:43603 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules) * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules) * 1:43601 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules) * 1:43600 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules) * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (malware-cnc.rules) * 3:43631 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules) * 3:43629 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules) * 3:43630 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules) * 3:43628 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
* 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules) * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules) * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules) * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules) * 1:29169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:29646 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules) * 1:29168 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules) * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:25658 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules) * 1:2655 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin ExecuteFile admin access (server-other.rules) * 1:2549 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin file write attempt (server-other.rules) * 1:25657 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules) * 1:2547 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin remote file upload attempt (server-other.rules) * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access (server-other.rules) * 1:23939 <-> DISABLED <-> SERVER-ORACLE Oracle Business Transaction Management FlashTunnelService directory traversal attempt (server-oracle.rules) * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules) * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules) * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:16721 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules) * 1:18188 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt (browser-firefox.rules) * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules) * 1:20054 <-> DISABLED <-> SERVER-OTHER HP OpenView Network Node Manager denial of service attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
