Talos has added and modified multiple rules in the blacklist, browser-other, file-flash, file-office, indicator-compromise, malware-cnc, protocol-tftp, pua-adware, server-mssql and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plusvan.com - Win.Trojan.Renos (blacklist.rules) * 1:39440 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39449 <-> DISABLED <-> SERVER-MSSQL Microsoft SQL Server sp_addsrvrolemember privilege escalation attempt (server-mssql.rules) * 1:39442 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite Arbitrary Document Download attempt (server-webapp.rules) * 1:39444 <-> DISABLED <-> INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt (indicator-compromise.rules) * 1:39443 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules) * 1:39441 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39450 <-> DISABLED <-> PROTOCOL-TFTP Firmware upgrade request (protocol-tftp.rules) * 1:39439 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39434 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules) * 1:39433 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules) * 1:39435 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules) * 1:39436 <-> DISABLED <-> SERVER-WEBAPP Soitec Smart Energy SQL injection attempt (server-webapp.rules) * 1:39445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain buyitave.com - Win.Trojan.Renos (blacklist.rules) * 1:39437 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules) * 1:39446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain homebuyline.com - Win.Trojan.Renos (blacklist.rules) * 1:39438 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39448 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renos variant outbound connection (malware-cnc.rules) * 1:39451 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx switch reboot request (protocol-tftp.rules) * 1:39452 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx factory reset request (protocol-tftp.rules)
* 1:26489 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules) * 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules) * 1:34975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules) * 1:29105 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral agentLogUploader servlet directory traversal attempt (server-webapp.rules) * 1:26490 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules) * 1:35702 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:35701 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules) * 1:34974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39441 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39439 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39438 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39442 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite Arbitrary Document Download attempt (server-webapp.rules) * 1:39433 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules) * 1:39434 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules) * 1:39444 <-> DISABLED <-> INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt (indicator-compromise.rules) * 1:39435 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules) * 1:39436 <-> DISABLED <-> SERVER-WEBAPP Soitec Smart Energy SQL injection attempt (server-webapp.rules) * 1:39437 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules) * 1:39445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain buyitave.com - Win.Trojan.Renos (blacklist.rules) * 1:39446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain homebuyline.com - Win.Trojan.Renos (blacklist.rules) * 1:39443 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules) * 1:39447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plusvan.com - Win.Trojan.Renos (blacklist.rules) * 1:39448 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renos variant outbound connection (malware-cnc.rules) * 1:39450 <-> DISABLED <-> PROTOCOL-TFTP Firmware upgrade request (protocol-tftp.rules) * 1:39449 <-> DISABLED <-> SERVER-MSSQL Microsoft SQL Server sp_addsrvrolemember privilege escalation attempt (server-mssql.rules) * 1:39440 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39452 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx factory reset request (protocol-tftp.rules) * 1:39451 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx switch reboot request (protocol-tftp.rules)
* 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules) * 1:26489 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules) * 1:26490 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules) * 1:34974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules) * 1:29105 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral agentLogUploader servlet directory traversal attempt (server-webapp.rules) * 1:34975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules) * 1:35701 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:35702 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:39452 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx factory reset request (protocol-tftp.rules) * 1:39451 <-> DISABLED <-> PROTOCOL-TFTP Comtrol RocketLinx switch reboot request (protocol-tftp.rules) * 1:39450 <-> DISABLED <-> PROTOCOL-TFTP Firmware upgrade request (protocol-tftp.rules) * 1:39449 <-> DISABLED <-> SERVER-MSSQL Microsoft SQL Server sp_addsrvrolemember privilege escalation attempt (server-mssql.rules) * 1:39448 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renos variant outbound connection (malware-cnc.rules) * 1:39447 <-> ENABLED <-> BLACKLIST DNS request for known malware domain plusvan.com - Win.Trojan.Renos (blacklist.rules) * 1:39446 <-> ENABLED <-> BLACKLIST DNS request for known malware domain homebuyline.com - Win.Trojan.Renos (blacklist.rules) * 1:39445 <-> ENABLED <-> BLACKLIST DNS request for known malware domain buyitave.com - Win.Trojan.Renos (blacklist.rules) * 1:39444 <-> DISABLED <-> INDICATOR-COMPROMISE Netgear D6000 or D3600 password recovery page access attempt (indicator-compromise.rules) * 1:39443 <-> ENABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules) * 1:39442 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite Arbitrary Document Download attempt (server-webapp.rules) * 1:39441 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39440 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39439 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39438 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer overflow attempt (file-flash.rules) * 1:39437 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules) * 1:39436 <-> DISABLED <-> SERVER-WEBAPP Soitec Smart Energy SQL injection attempt (server-webapp.rules) * 1:39435 <-> DISABLED <-> SERVER-WEBAPP Advantech SQL injection attempt (server-webapp.rules) * 1:39434 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules) * 1:39433 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection (malware-cnc.rules)
* 1:23385 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise Messenger nmma.exe login memory corruption attempt (server-webapp.rules) * 1:26489 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules) * 1:26490 <-> ENABLED <-> BROWSER-OTHER Novell Messenger Client nim URI handler buffer overflow attempt (browser-other.rules) * 1:29105 <-> DISABLED <-> SERVER-WEBAPP ManageEngine DesktopCentral agentLogUploader servlet directory traversal attempt (server-webapp.rules) * 1:34974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules) * 1:34975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio UML string object heap buffer overflow attempt (file-office.rules) * 1:35701 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:35702 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:35703 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager agentKey SQL injection attempt (server-webapp.rules) * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap overflow attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
