The VRT has added and modified multiple rules in the blacklist, browser-ie, file-image, file-office, malware-cnc, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31585 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules) * 1:31581 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31569 <-> DISABLED <-> SERVER-WEBAPP Tiki Wiki 8.3 unserialize PHP remote code execution attempt (server-webapp.rules) * 1:31560 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin theme file upload attempt (server-webapp.rules) * 1:31561 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin successful theme file upload detected (server-webapp.rules) * 1:31562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules) * 1:31563 <-> DISABLED <-> MALWARE-CNC Backdoor Elirks.A command and control traffic (malware-cnc.rules) * 1:31571 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31580 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31572 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31565 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS2.php remote file include attempt (server-webapp.rules) * 1:31573 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31574 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31566 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS.php remote file include attempt (server-webapp.rules) * 1:31575 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31576 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31577 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules) * 1:31578 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules) * 1:31567 <-> DISABLED <-> SERVER-WEBAPP Gitlist remote command injection attempt (server-webapp.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules) * 1:31582 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31570 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB mysql.cc buffer overflow attempt (server-mysql.rules) * 1:31583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules) * 1:31584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules) * 1:31568 <-> DISABLED <-> SERVER-WEBAPP Invsionix Roaming System remote file include attempt (server-webapp.rules)
* 1:20680 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedating4CMS.php remote file include attempt (server-webapp.rules) * 1:8441 <-> DISABLED <-> SERVER-WEBAPP McAfee header buffer overflow attempt (server-webapp.rules) * 1:29760 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto (blacklist.rules) * 1:16809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FraudPack variant outbound connection (malware-cnc.rules) * 1:27201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound communication (malware-cnc.rules) * 1:17560 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules) * 1:25667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules) * 1:16820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:20124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules) * 1:20728 <-> DISABLED <-> SERVER-WEBAPP WoW Roster remote file include with hslist.php and conf.php attempt (server-webapp.rules) * 1:25668 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules) * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules) * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31581 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31569 <-> DISABLED <-> SERVER-WEBAPP Tiki Wiki 8.3 unserialize PHP remote code execution attempt (server-webapp.rules) * 1:31567 <-> DISABLED <-> SERVER-WEBAPP Gitlist remote command injection attempt (server-webapp.rules) * 1:31570 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB mysql.cc buffer overflow attempt (server-mysql.rules) * 1:31571 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31573 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31560 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin theme file upload attempt (server-webapp.rules) * 1:31561 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin successful theme file upload detected (server-webapp.rules) * 1:31562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules) * 1:31563 <-> DISABLED <-> MALWARE-CNC Backdoor Elirks.A command and control traffic (malware-cnc.rules) * 1:31574 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules) * 1:31565 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS2.php remote file include attempt (server-webapp.rules) * 1:31566 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS.php remote file include attempt (server-webapp.rules) * 1:31575 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31576 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31577 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules) * 1:31578 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules) * 1:31579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules) * 1:31580 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31582 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31572 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31585 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules) * 1:31584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules) * 1:31568 <-> DISABLED <-> SERVER-WEBAPP Invsionix Roaming System remote file include attempt (server-webapp.rules)
* 1:8441 <-> DISABLED <-> SERVER-WEBAPP McAfee header buffer overflow attempt (server-webapp.rules) * 1:29760 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto (blacklist.rules) * 1:27201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound communication (malware-cnc.rules) * 1:25668 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules) * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules) * 1:20680 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedating4CMS.php remote file include attempt (server-webapp.rules) * 1:20728 <-> DISABLED <-> SERVER-WEBAPP WoW Roster remote file include with hslist.php and conf.php attempt (server-webapp.rules) * 1:17560 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules) * 1:20124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules) * 1:16809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FraudPack variant outbound connection (malware-cnc.rules) * 1:16820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:25667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules) * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31585 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules) * 1:31584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS .ipsum layout use-after-free attempt (browser-ie.rules) * 1:31583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31582 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31581 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31580 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer OnMove Use After Free exploit attempt (browser-ie.rules) * 1:31579 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules) * 1:31578 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules) * 1:31577 <-> DISABLED <-> PROTOCOL-SNMP HP Huawei password disclosure attempt (protocol-snmp.rules) * 1:31576 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31575 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31574 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31573 <-> DISABLED <-> FILE-IMAGE GIMP XWD RedMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31572 <-> DISABLED <-> FILE-IMAGE GIMP XWD GreenMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31571 <-> DISABLED <-> FILE-IMAGE GIMP XWD BlueMask file-handling stack buffer overflow attempt (file-image.rules) * 1:31570 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB mysql.cc buffer overflow attempt (server-mysql.rules) * 1:31569 <-> DISABLED <-> SERVER-WEBAPP Tiki Wiki 8.3 unserialize PHP remote code execution attempt (server-webapp.rules) * 1:31568 <-> DISABLED <-> SERVER-WEBAPP Invsionix Roaming System remote file include attempt (server-webapp.rules) * 1:31567 <-> DISABLED <-> SERVER-WEBAPP Gitlist remote command injection attempt (server-webapp.rules) * 1:31566 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS.php remote file include attempt (server-webapp.rules) * 1:31565 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedatingCMS2.php remote file include attempt (server-webapp.rules) * 1:31564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration (malware-cnc.rules) * 1:31563 <-> DISABLED <-> MALWARE-CNC Backdoor Elirks.A command and control traffic (malware-cnc.rules) * 1:31562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules) * 1:31561 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin successful theme file upload detected (server-webapp.rules) * 1:31560 <-> ENABLED <-> SERVER-WEBAPP Wordpress MailPoet plugin theme file upload attempt (server-webapp.rules)
* 1:16809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FraudPack variant outbound connection (malware-cnc.rules) * 1:16820 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:17560 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word global array index heap overflow attempt (file-office.rules) * 1:20124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Lbl record attempt (file-office.rules) * 1:20680 <-> DISABLED <-> SERVER-WEBAPP Flashchat aedating4CMS.php remote file include attempt (server-webapp.rules) * 1:20728 <-> DISABLED <-> SERVER-WEBAPP WoW Roster remote file include with hslist.php and conf.php attempt (server-webapp.rules) * 1:25667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules) * 1:25668 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nflog variant outbound connection (malware-cnc.rules) * 1:26777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kazy variant outbound connection (malware-cnc.rules) * 1:27201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt variant outbound communication (malware-cnc.rules) * 1:29754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer style.position use-after-free memory corruption attempt (browser-ie.rules) * 1:29760 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto (blacklist.rules) * 1:8441 <-> DISABLED <-> SERVER-WEBAPP McAfee header buffer overflow attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
