Talos has added and modified multiple rules in the app-detect, file-image, file-other, malware-cnc, protocol-scada, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poxters external connection (malware-cnc.rules) * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection attempt (malware-cnc.rules) * 1:40291 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules) * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection attempt (malware-cnc.rules) * 1:40293 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules) * 1:40292 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules) * 1:40295 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40296 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40297 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40294 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40302 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed Portal cross-site scripting attempt (server-apache.rules) * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET buffer overflow attempt (server-other.rules) * 3:40304 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules) * 3:40303 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules) * 3:40299 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules) * 3:40300 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules) * 3:40298 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed H.450 PER data out of bounds read attempt (protocol-voip.rules)
* 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40302 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed Portal cross-site scripting attempt (server-apache.rules) * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET buffer overflow attempt (server-other.rules) * 1:40297 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40296 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40295 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40294 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules) * 1:40293 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules) * 1:40292 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules) * 1:40291 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules) * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection attempt (malware-cnc.rules) * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection attempt (malware-cnc.rules) * 1:40288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poxters external connection (malware-cnc.rules) * 3:40300 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules) * 3:40304 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules) * 3:40303 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules) * 3:40298 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed H.450 PER data out of bounds read attempt (protocol-voip.rules) * 3:40299 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules)
* 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules) * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
