Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, malware-cnc, malware-other, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41659 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules) * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection attempt (malware-cnc.rules) * 1:41658 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules) * 1:41656 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.MagicHound (blacklist.rules) * 1:41643 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules) * 1:41645 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules) * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules) * 1:41650 <-> DISABLED <-> SERVER-WEBAPP Wordpress Excerpt cross site scripting attempt (server-webapp.rules) * 1:41655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound (blacklist.rules) * 1:41654 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41652 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41651 <-> DISABLED <-> SERVER-OTHER Schneider Electric ETY Telnet DOS attempt (server-other.rules) * 1:41653 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41644 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules) * 1:41647 <-> DISABLED <-> POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected (policy-other.rules) * 1:41648 <-> DISABLED <-> PROTOCOL-SCADA SCADA Trace Mode DoS attempt (protocol-scada.rules) * 1:41649 <-> DISABLED <-> POLICY-OTHER Wordpress Press-This page access detected (policy-other.rules)
* 1:41457 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules) * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules) * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules) * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules) * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41658 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules) * 1:41650 <-> DISABLED <-> SERVER-WEBAPP Wordpress Excerpt cross site scripting attempt (server-webapp.rules) * 1:41649 <-> DISABLED <-> POLICY-OTHER Wordpress Press-This page access detected (policy-other.rules) * 1:41648 <-> DISABLED <-> PROTOCOL-SCADA SCADA Trace Mode DoS attempt (protocol-scada.rules) * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules) * 1:41644 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules) * 1:41645 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules) * 1:41643 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules) * 1:41653 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound (blacklist.rules) * 1:41654 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41651 <-> DISABLED <-> SERVER-OTHER Schneider Electric ETY Telnet DOS attempt (server-other.rules) * 1:41656 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.MagicHound (blacklist.rules) * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection attempt (malware-cnc.rules) * 1:41652 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41647 <-> DISABLED <-> POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected (policy-other.rules) * 1:41659 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules)
* 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:41457 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules) * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules) * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules) * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules) * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41659 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules) * 1:41658 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules) * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection attempt (malware-cnc.rules) * 1:41656 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.MagicHound (blacklist.rules) * 1:41655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound (blacklist.rules) * 1:41654 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41653 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41652 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules) * 1:41651 <-> DISABLED <-> SERVER-OTHER Schneider Electric ETY Telnet DOS attempt (server-other.rules) * 1:41650 <-> DISABLED <-> SERVER-WEBAPP Wordpress Excerpt cross site scripting attempt (server-webapp.rules) * 1:41649 <-> DISABLED <-> POLICY-OTHER Wordpress Press-This page access detected (policy-other.rules) * 1:41648 <-> DISABLED <-> PROTOCOL-SCADA SCADA Trace Mode DoS attempt (protocol-scada.rules) * 1:41647 <-> DISABLED <-> POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected (policy-other.rules) * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules) * 1:41645 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules) * 1:41644 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules) * 1:41643 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)
* 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:41457 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules) * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules) * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules) * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules) * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules) * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
