Talos has added and modified multiple rules in the file-flash, file-image, file-office, file-pdf and os-windows rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49232 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49233 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49234 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49231 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49214 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49220 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49221 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49235 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules) * 1:49222 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49223 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49230 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules) * 1:49217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49219 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49212 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49224 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49213 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49225 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49211 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49226 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49229 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules) * 1:49236 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules)
* 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules) * 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49232 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49211 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49231 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49234 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49235 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules) * 1:49236 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules) * 1:49214 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49220 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49221 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49222 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49223 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49213 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49212 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49219 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49230 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules) * 1:49233 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49224 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49225 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49226 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49229 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules)
* 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49231 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (snort3-file-flash.rules) * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules) * 1:49215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules) * 1:49214 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (snort3-file-pdf.rules) * 1:49217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules) * 1:49211 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules) * 1:49236 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (snort3-file-pdf.rules) * 1:49235 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (snort3-file-pdf.rules) * 1:49234 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (snort3-file-pdf.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules) * 1:49212 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules) * 1:49220 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (snort3-malware-cnc.rules) * 1:49221 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (snort3-malware-cnc.rules) * 1:49222 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (snort3-malware-cnc.rules) * 1:49223 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (snort3-malware-cnc.rules) * 1:49230 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (snort3-file-pdf.rules) * 1:49218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules) * 1:49233 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (snort3-file-pdf.rules) * 1:49232 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (snort3-file-flash.rules) * 1:49219 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (snort3-malware-cnc.rules) * 1:49213 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (snort3-file-pdf.rules) * 1:49216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (snort3-malware-cnc.rules) * 1:49224 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (snort3-malware-cnc.rules) * 1:49225 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (snort3-file-pdf.rules) * 1:49226 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (snort3-file-pdf.rules) * 1:49229 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (snort3-file-pdf.rules)
* 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (snort3-file-image.rules) * 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (snort3-file-image.rules) * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (snort3-os-windows.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (snort3-file-office.rules) * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (snort3-malware-cnc.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (snort3-file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49214 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49231 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49230 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules) * 1:49232 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49212 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49213 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49234 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49233 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49211 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49219 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49220 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49221 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49222 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49225 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49226 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49229 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules) * 1:49236 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules) * 1:49235 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules) * 1:49218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49223 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49224 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules)
* 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49221 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49220 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49219 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt (malware-cnc.rules) * 1:49214 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49213 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine out-of-bounds read attempt (file-pdf.rules) * 1:49212 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49211 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49236 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules) * 1:49235 <-> ENABLED <-> FILE-PDF JavaScript XFA engine use after free attempt (file-pdf.rules) * 1:49234 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49233 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript untrusted pointer dereference attempt detected (file-pdf.rules) * 1:49232 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49231 <-> DISABLED <-> FILE-FLASH Adobe Flash Player drawTriangles out-of-bounds read attempt (file-flash.rules) * 1:49230 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules) * 1:49229 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds write attempt (file-pdf.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49226 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49225 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader TIF orientation out of bounds read attempt (file-pdf.rules) * 1:49224 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49223 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules) * 1:49222 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt (malware-cnc.rules)
* 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:44061 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:44062 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules) * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
