The VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:33159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules) * 1:33160 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules) * 1:33161 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Rombertik outbound connection (malware-cnc.rules) * 1:33162 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:33163 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:33164 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP out-of-bounds read attempt (file-flash.rules) * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks (malware-cnc.rules) * 1:33166 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33167 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33168 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33169 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33170 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33171 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules) * 1:33172 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33173 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules) * 1:33174 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33175 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33176 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules) * 1:33177 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules) * 1:33178 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33179 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33180 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:33188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules) * 1:33187 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33186 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33185 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:33183 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:33181 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules)
* 1:31548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant inbound communication (malware-cnc.rules) * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:29066 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound communication (malware-cnc.rules) * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep variant outbound connection (malware-cnc.rules) * 1:33187 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33186 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download (exploit-kit.rules) * 1:33185 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:33183 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:33181 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33180 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33179 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33178 <-> ENABLED <-> FILE-FLASH Adobe ActionScript out-of-bounds read attempt (file-flash.rules) * 1:33177 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules) * 1:33176 <-> ENABLED <-> FILE-FLASH Adobe Flash AWM2 out of bounds corruption attempt (file-flash.rules) * 1:33175 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33174 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33173 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules) * 1:33172 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33171 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX clsid access attempt (browser-plugins.rules) * 1:33170 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client Memory Corruption ActiveX function call access attempt (browser-plugins.rules) * 1:33169 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33168 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33167 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33166 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Endpoint Manager Mobile Device Management remote code execution attempt (server-other.rules) * 1:33165 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poweliks (malware-cnc.rules) * 1:33164 <-> DISABLED <-> FILE-FLASH Adobe Flash Player RTMP out-of-bounds read attempt (file-flash.rules) * 1:33163 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:33162 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:33161 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Rombertik outbound connection (malware-cnc.rules) * 1:33160 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules) * 1:33159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVM2 opcode type confusion denial of service attempt (file-flash.rules) * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules)
* 1:29066 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit XORed payload download attempt (exploit-kit.rules) * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31548 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Yakes variant inbound communication (malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound communication (malware-cnc.rules) * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
