Talos has added and modified multiple rules in the blacklist, browser-webkit, exploit-kit, file-flash, file-pdf, malware-cnc, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33914 <-> ENABLED <-> BLACKLIST User-Agent BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules) * 1:33919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33917 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33915 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules) * 1:33907 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - KAIIOOOO871 - Win.Trojan.Dridex (blacklist.rules) * 1:33911 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules) * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:33925 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:33913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Concbak outbound connection (malware-cnc.rules) * 1:33924 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33926 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33910 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules) * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules) * 1:33916 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules) * 1:33923 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33921 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33922 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary web script injection attempt (server-webapp.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:8888888 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules) * 3:33927 <-> ENABLED <-> SERVER-OTHER Cisco IOS virtual routing and forwarding ICMP redirect denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:8888889 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
* 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules) * 1:33852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules) * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules) * 1:33851 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules) * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules) * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules) * 1:33907 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - KAIIOOOO871 - Win.Trojan.Dridex (blacklist.rules) * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules) * 1:33913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Concbak outbound connection (malware-cnc.rules) * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules) * 1:33915 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33917 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33916 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:33919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33910 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules) * 1:33921 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33911 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules) * 1:33926 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33925 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33924 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33922 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary web script injection attempt (server-webapp.rules) * 1:33923 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:33927 <-> ENABLED <-> SERVER-OTHER Cisco IOS virtual routing and forwarding ICMP redirect denial of service attempt (server-other.rules) * 3:8888888 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules) * 3:8888889 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
* 1:33852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules) * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules) * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules) * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules) * 1:33851 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33926 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33925 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33924 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33923 <-> ENABLED <-> FILE-FLASH Adobe Flash Player paletteMap integer overflow attempt (file-flash.rules) * 1:33922 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary web script injection attempt (server-webapp.rules) * 1:33921 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AVSegmentedSource caption unlink use-after-free attempt (file-flash.rules) * 1:33917 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33916 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33915 <-> DISABLED <-> SERVER-WEBAPP HP ArcSight Logger directory traversal attempt (server-webapp.rules) * 1:33914 <-> ENABLED <-> BLACKLIST User-Agent BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Barys (blacklist.rules) * 1:33913 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Concbak outbound connection (malware-cnc.rules) * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules) * 1:33911 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules) * 1:33910 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit rowspan denial of service attempt (browser-webkit.rules) * 1:33909 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules) * 1:33908 <-> DISABLED <-> FILE-PDF Adobe Reader CoolType.dll out-of-bounds memory write access attempt (file-pdf.rules) * 1:33907 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - KAIIOOOO871 - Win.Trojan.Dridex (blacklist.rules) * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 3:33927 <-> ENABLED <-> SERVER-OTHER Cisco IOS virtual routing and forwarding ICMP redirect denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:8888888 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules) * 3:8888889 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
* 1:33852 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules) * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules) * 1:24348 <-> DISABLED <-> SERVER-APACHE Apache mod_rpaf x-forwarded-for header denial of service attempt (server-apache.rules) * 1:31014 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptowall variant outbound communication (malware-cnc.rules) * 1:33851 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poseidon outbound connection (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
