Talos has added and modified multiple rules in the file-java, file-pdf, malware-cnc, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules) * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules) * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules) * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
* 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules) * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules) * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules) * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules) * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules) * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules) * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
* 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules) * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (snort3-malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (snort3-malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (snort3-malware-cnc.rules)
* 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules) * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (snort3-file-java.rules) * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (snort3-file-java.rules) * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (snort3-server-oracle.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (snort3-malware-cnc.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules) * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules) * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules) * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules) * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
* 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules) * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules) * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules) * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules) * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules) * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules) * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules) * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules) * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules)
* 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules) * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules) * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules) * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
