Talos has added and modified multiple rules in the file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49506 <-> DISABLED <-> POLICY-OTHER Thomson TWG850-4 unauthenticated backup download attempt (policy-other.rules) * 1:49516 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49501 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49517 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49518 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49502 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 1:49507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 1:49520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49508 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 1:49519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49500 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49499 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49503 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 1:49504 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49498 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49505 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49512 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49513 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49515 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49514 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 3:49511 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface stack buffer overflow attempt (server-webapp.rules) * 3:49510 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface directory traversal attempt (server-webapp.rules) * 3:49509 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface authorization bypass attempt (server-webapp.rules)
* 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49498 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49516 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49515 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49518 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49517 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49505 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49502 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 1:49503 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 1:49501 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49499 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49500 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49508 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 1:49513 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49514 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49504 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49512 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49506 <-> DISABLED <-> POLICY-OTHER Thomson TWG850-4 unauthenticated backup download attempt (policy-other.rules) * 1:49507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 3:49509 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface authorization bypass attempt (server-webapp.rules) * 3:49510 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface directory traversal attempt (server-webapp.rules) * 3:49511 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface stack buffer overflow attempt (server-webapp.rules)
* 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49504 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (snort3-file-pdf.rules) * 1:49519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49499 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (snort3-server-webapp.rules) * 1:49518 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49503 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (snort3-server-webapp.rules) * 1:49520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49502 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (snort3-server-webapp.rules) * 1:49516 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49498 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (snort3-server-webapp.rules) * 1:49517 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49515 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49513 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49514 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49508 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (snort3-malware-cnc.rules) * 1:49512 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules) * 1:49501 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (snort3-file-office.rules) * 1:49505 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (snort3-file-pdf.rules) * 1:49506 <-> DISABLED <-> POLICY-OTHER Thomson TWG850-4 unauthenticated backup download attempt (snort3-policy-other.rules) * 1:49500 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (snort3-file-office.rules) * 1:49507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (snort3-malware-cnc.rules)
* 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49517 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49501 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49516 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49503 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 1:49518 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49500 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49498 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49515 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49513 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49514 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49508 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 1:49512 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49506 <-> DISABLED <-> POLICY-OTHER Thomson TWG850-4 unauthenticated backup download attempt (policy-other.rules) * 1:49507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 1:49505 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49499 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49504 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49502 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 3:49509 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface authorization bypass attempt (server-webapp.rules) * 3:49510 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface directory traversal attempt (server-webapp.rules) * 3:49511 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface stack buffer overflow attempt (server-webapp.rules)
* 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49517 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49516 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49515 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49514 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49513 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49512 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49508 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 1:49507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shade malicious executable download attempt (malware-cnc.rules) * 1:49506 <-> DISABLED <-> POLICY-OTHER Thomson TWG850-4 unauthenticated backup download attempt (policy-other.rules) * 1:49505 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49504 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro saveFilteredXML out-of-bounds read attempt (file-pdf.rules) * 1:49503 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 1:49502 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails render file directory traversal attempt (server-webapp.rules) * 1:49501 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49500 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel conditional code execution attempt (file-office.rules) * 1:49499 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49498 <-> ENABLED <-> SERVER-WEBAPP Jenkins Groovy metaprogramming remote code execution attempt (server-webapp.rules) * 1:49520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 1:49518 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules) * 3:49509 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface authorization bypass attempt (server-webapp.rules) * 3:49510 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface directory traversal attempt (server-webapp.rules) * 3:49511 <-> ENABLED <-> SERVER-WEBAPP Cisco IP Phone web interface stack buffer overflow attempt (server-webapp.rules)
* 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)