Talos has added and modified multiple rules in the app-detect, file-office, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules) * 1:45487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules) * 1:45490 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
* 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:42491 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:42490 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:27123 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 259 buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45490 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules)
* 1:27123 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 259 buffer overflow attempt (server-other.rules) * 1:42490 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:42491 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules) * 1:45489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules) * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45490 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
* 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:42491 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:42490 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules) * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:27123 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 259 buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45483 <-> ENABLED <-> MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected (malware-cnc.rules) * 1:45487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45489 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Word PlfLfo use after free attempt (file-office.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 1:45490 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules)
* 1:27123 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector CRS opcode 259 buffer overflow attempt (server-other.rules) * 1:42491 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:42490 <-> DISABLED <-> POLICY-OTHER Intel AMT remote administration tool access attempt (policy-other.rules) * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:42492 <-> DISABLED <-> APP-DETECT Intel AMT DHCP boot request detected (app-detect.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
