The Sourcefire VRT has added and modified multiple rules in the blacklist, file-flash, file-identify, file-multimedia, file-other, file-pdf, malware-backdoor and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules) * 1:31249 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pekanin.freevar.com - HAVEX RAT (blacklist.rules) * 1:31243 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound connection (malware-cnc.rules) * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules) * 1:31244 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules) * 1:31245 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules) * 1:31247 <-> ENABLED <-> BLACKLIST DNS request for known malware domain artem.sataev.com - HAVEX RAT (blacklist.rules) * 1:31248 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mahsms.ir - HAVEX RAT (blacklist.rules) * 1:31246 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules) * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules) * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection attempt (malware-cnc.rules) * 1:31250 <-> ENABLED <-> BLACKLIST DNS request for known malware domain simpsons.freesexycomics.com - HAVEX RAT (blacklist.rules) * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules) * 1:31251 <-> ENABLED <-> BLACKLIST DNS request for known malware domain swissitaly.com - HAVEX RAT (blacklist.rules) * 1:31252 <-> ENABLED <-> BLACKLIST DNS request for known malware domain toons.freesexycomics.com - HAVEX RAT (blacklist.rules) * 1:31256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules) * 1:31257 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rc1.arkinixik.net - Win.Trojan.Destoplug (blacklist.rules) * 1:31258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Destoplug variant outbound connection (malware-cnc.rules) * 1:31259 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller url_redirect.cgi directory traversal attempt (server-webapp.rules) * 1:31260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt (malware-cnc.rules) * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection attempt (malware-cnc.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules) * 1:31253 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.pc-service-fm.de - HAVEX RAT (blacklist.rules)
* 1:29613 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules) * 1:29007 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules) * 1:23774 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules) * 1:29006 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules) * 1:22946 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules) * 1:23666 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:22944 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules) * 1:22945 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules) * 1:21858 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules) * 1:22943 <-> DISABLED <-> FILE-IDENTIFY NAB file download request (file-identify.rules) * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules) * 1:21859 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules) * 1:20269 <-> DISABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules) * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules) * 1:20481 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:29887 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre (blacklist.rules) * 1:30759 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:29752 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt (server-webapp.rules) * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection attempt (malware-cnc.rules) * 1:30760 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file download request (file-identify.rules) * 1:29612 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules) * 1:30757 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:30532 <-> DISABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules) * 1:29888 <-> DISABLED <-> FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt (file-other.rules) * 1:30758 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:7635 <-> DISABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:29614 <-> DISABLED <-> FILE-IDENTIFY XPS file download request (file-identify.rules) * 1:30756 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:29008 <-> DISABLED <-> FILE-IDENTIFY XWD image file download request (file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31257 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rc1.arkinixik.net - Win.Trojan.Destoplug (blacklist.rules) * 1:31258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Destoplug variant outbound connection (malware-cnc.rules) * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules) * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules) * 1:31252 <-> ENABLED <-> BLACKLIST DNS request for known malware domain toons.freesexycomics.com - HAVEX RAT (blacklist.rules) * 1:31253 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.pc-service-fm.de - HAVEX RAT (blacklist.rules) * 1:31249 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pekanin.freevar.com - HAVEX RAT (blacklist.rules) * 1:31250 <-> ENABLED <-> BLACKLIST DNS request for known malware domain simpsons.freesexycomics.com - HAVEX RAT (blacklist.rules) * 1:31247 <-> ENABLED <-> BLACKLIST DNS request for known malware domain artem.sataev.com - HAVEX RAT (blacklist.rules) * 1:31248 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mahsms.ir - HAVEX RAT (blacklist.rules) * 1:31245 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules) * 1:31244 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules) * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection attempt (malware-cnc.rules) * 1:31243 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound connection (malware-cnc.rules) * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules) * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules) * 1:31246 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules) * 1:31251 <-> ENABLED <-> BLACKLIST DNS request for known malware domain swissitaly.com - HAVEX RAT (blacklist.rules) * 1:31256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules) * 1:31260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt (malware-cnc.rules) * 1:31259 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller url_redirect.cgi directory traversal attempt (server-webapp.rules) * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection attempt (malware-cnc.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules)
* 1:29007 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules) * 1:29006 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules) * 1:23774 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules) * 1:23666 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:22946 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules) * 1:20481 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:20269 <-> DISABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules) * 1:22945 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules) * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules) * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules) * 1:21858 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules) * 1:21859 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules) * 1:22943 <-> DISABLED <-> FILE-IDENTIFY NAB file download request (file-identify.rules) * 1:22944 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules) * 1:29887 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre (blacklist.rules) * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection attempt (malware-cnc.rules) * 1:30760 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file download request (file-identify.rules) * 1:29613 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules) * 1:29752 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt (server-webapp.rules) * 1:29614 <-> DISABLED <-> FILE-IDENTIFY XPS file download request (file-identify.rules) * 1:7635 <-> DISABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:29888 <-> DISABLED <-> FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt (file-other.rules) * 1:30532 <-> DISABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules) * 1:30756 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:30757 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:30758 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:29008 <-> DISABLED <-> FILE-IDENTIFY XWD image file download request (file-identify.rules) * 1:30759 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:29612 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant check-in attempt (malware-cnc.rules) * 1:31261 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Symmi outbound connection attempt (malware-cnc.rules) * 1:31260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt (malware-cnc.rules) * 1:31259 <-> DISABLED <-> SERVER-WEBAPP Supermicro Intelligent Management Controller url_redirect.cgi directory traversal attempt (server-webapp.rules) * 1:31258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Destoplug variant outbound connection (malware-cnc.rules) * 1:31257 <-> ENABLED <-> BLACKLIST DNS request for known malware domain rc1.arkinixik.net - Win.Trojan.Destoplug (blacklist.rules) * 1:31256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules) * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules) * 1:31254 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host (malware-cnc.rules) * 1:31253 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.pc-service-fm.de - HAVEX RAT (blacklist.rules) * 1:31252 <-> ENABLED <-> BLACKLIST DNS request for known malware domain toons.freesexycomics.com - HAVEX RAT (blacklist.rules) * 1:31251 <-> ENABLED <-> BLACKLIST DNS request for known malware domain swissitaly.com - HAVEX RAT (blacklist.rules) * 1:31250 <-> ENABLED <-> BLACKLIST DNS request for known malware domain simpsons.freesexycomics.com - HAVEX RAT (blacklist.rules) * 1:31249 <-> ENABLED <-> BLACKLIST DNS request for known malware domain pekanin.freevar.com - HAVEX RAT (blacklist.rules) * 1:31248 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mahsms.ir - HAVEX RAT (blacklist.rules) * 1:31247 <-> ENABLED <-> BLACKLIST DNS request for known malware domain artem.sataev.com - HAVEX RAT (blacklist.rules) * 1:31246 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules) * 1:31245 <-> ENABLED <-> FILE-FLASH Adobe Flash malformed regular expression exploit attempt (file-flash.rules) * 1:31244 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt (malware-cnc.rules) * 1:31243 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Necurs variant outbound connection (malware-cnc.rules) * 1:31242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Utishaf variant outbound connection attempt (malware-cnc.rules) * 1:31241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules) * 1:31240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection attempt (malware-cnc.rules)
* 1:7635 <-> DISABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection attempt (malware-cnc.rules) * 1:30760 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file download request (file-identify.rules) * 1:30759 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:30758 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:30757 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:20269 <-> DISABLED <-> FILE-IDENTIFY FON font file download request (file-identify.rules) * 1:20481 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:21295 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules) * 1:21296 <-> DISABLED <-> FILE-IDENTIFY FON file attachment detected (file-identify.rules) * 1:30756 <-> DISABLED <-> FILE-IDENTIFY ABC Music Notation file attachment detected (file-identify.rules) * 1:21858 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules) * 1:21859 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader msiexec.exe file load exploit attempt (file-pdf.rules) * 1:22943 <-> DISABLED <-> FILE-IDENTIFY NAB file download request (file-identify.rules) * 1:22944 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules) * 1:30532 <-> DISABLED <-> FILE-MULTIMEDIA CoCSoft Stream Download session (file-multimedia.rules) * 1:22945 <-> DISABLED <-> FILE-IDENTIFY NAB file attachment detected (file-identify.rules) * 1:22946 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules) * 1:23666 <-> DISABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:23774 <-> DISABLED <-> FILE-IDENTIFY NAB file magic detected (file-identify.rules) * 1:29888 <-> DISABLED <-> FILE-OTHER Clam Anti-Virus TNEF file handling denial of service attempt (file-other.rules) * 1:29006 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules) * 1:29007 <-> DISABLED <-> FILE-IDENTIFY XWD image file attachment detected (file-identify.rules) * 1:29887 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre (blacklist.rules) * 1:29752 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center SOM authentication bypass attempt (server-webapp.rules) * 1:29614 <-> DISABLED <-> FILE-IDENTIFY XPS file download request (file-identify.rules) * 1:29613 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules) * 1:29008 <-> DISABLED <-> FILE-IDENTIFY XWD image file download request (file-identify.rules) * 1:29612 <-> DISABLED <-> FILE-IDENTIFY XPS file attachment detected (file-identify.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
