Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, indicator-obfuscation, malware-cnc, malware-other, protocol-dns and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38661 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38629 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38630 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38631 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38633 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38665 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38662 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38632 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38635 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38634 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38663 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38664 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38636 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:38639 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38640 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38643 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38645 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38648 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38649 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules) * 1:38651 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38652 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38653 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38654 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38657 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38656 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38655 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38658 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:38650 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38660 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38659 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules)
* 1:37730 <-> DISABLED <-> PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt (protocol-dns.rules) * 1:37596 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules) * 1:37731 <-> DISABLED <-> PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt (protocol-dns.rules) * 1:37597 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules) * 1:17518 <-> DISABLED <-> PROTOCOL-FTP FlashGet PWD command stack buffer overflow attempt (protocol-ftp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38633 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38629 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38630 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38632 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38631 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38634 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38635 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38636 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:38639 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38640 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38643 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38645 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38648 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38649 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38650 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38651 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38652 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38653 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38654 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38655 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38656 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38657 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38658 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:38665 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38664 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38661 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38662 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38663 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38659 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38660 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules)
* 1:37597 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules) * 1:37730 <-> DISABLED <-> PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt (protocol-dns.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules) * 1:37731 <-> DISABLED <-> PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt (protocol-dns.rules) * 1:37596 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules) * 1:17518 <-> DISABLED <-> PROTOCOL-FTP FlashGet PWD command stack buffer overflow attempt (protocol-ftp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules) * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules) * 1:38665 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38664 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38663 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38662 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38661 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38660 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38659 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38658 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38657 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38656 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38655 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38654 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38653 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38652 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38651 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38650 <-> ENABLED <-> MALWARE-OTHER PWOBot variant download attempt (malware-other.rules) * 1:38649 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38648 <-> DISABLED <-> SERVER-OTHER Trend Micro remote debugging URL handling remote code execution attempt (server-other.rules) * 1:38647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38645 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38644 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38643 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jadowndec outbound connection attempt (malware-cnc.rules) * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules) * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules) * 1:38640 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38639 <-> ENABLED <-> FILE-OFFICE Microsoft Office document with auto-start VBA macro detected (file-office.rules) * 1:38638 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GozNym variant outbound connection (malware-cnc.rules) * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules) * 1:38636 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38635 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38634 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38633 <-> ENABLED <-> FILE-FLASH Nuclear exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38632 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38631 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38630 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules) * 1:38629 <-> ENABLED <-> FILE-FLASH Angler exploit kit Adobe Flash SWF exploit download (file-flash.rules)
* 1:17518 <-> DISABLED <-> PROTOCOL-FTP FlashGet PWD command stack buffer overflow attempt (protocol-ftp.rules) * 1:37596 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules) * 1:37597 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules) * 1:37730 <-> DISABLED <-> PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt (protocol-dns.rules) * 1:37731 <-> DISABLED <-> PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt (protocol-dns.rules) * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
