Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-image, file-pdf, malware-cnc, os-windows, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt (file-flash.rules) * 1:43013 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43012 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43011 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43014 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43010 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43017 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43018 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43006 <-> DISABLED <-> SERVER-WEBAPP MailStore Server cross site scripting attempt (server-webapp.rules) * 1:43007 <-> DISABLED <-> SERVER-OTHER HP Operations Orchestration unauthorized serialized object attempt (server-other.rules) * 1:43019 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43008 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43020 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43021 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43022 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43023 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43024 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43025 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43026 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43027 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43028 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43029 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43030 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43031 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43032 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43033 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43034 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43035 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43036 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager OPM_BVNAME SQL injection attempt (server-webapp.rules) * 1:43037 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager OPM_BVNAME SQL injection attempt (server-webapp.rules) * 1:43038 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager Search query SQL injection attempt (server-webapp.rules) * 1:43039 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager Search query SQL injection attempt (server-webapp.rules) * 1:43040 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager probeName SQL injection attempt (server-webapp.rules) * 1:43042 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt (browser-ie.rules) * 1:43041 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager probeName SQL injection attempt (server-webapp.rules) * 1:43043 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt (browser-ie.rules) * 1:43044 <-> DISABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:43045 <-> ENABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:43046 <-> DISABLED <-> BROWSER-PLUGINS ICONICS SCADA WebHMI ActiveX clsid access attempt (browser-plugins.rules) * 1:43009 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43015 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43047 <-> DISABLED <-> BROWSER-PLUGINS ICONICS SCADA WebHMI ActiveX clsid access attempt (browser-plugins.rules) * 1:43063 <-> ENABLED <-> MALWARE-CNC Trojan KABOB outbound connection attempt (malware-cnc.rules) * 1:43062 <-> DISABLED <-> SERVER-WEBAPP Cogent Datahub EvalExpresssion remote code execution attempt (server-webapp.rules) * 1:43059 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid DefinedEditText tag memory corruption attempt (file-flash.rules) * 1:43058 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid DefinedEditText tag memory corruption attempt (file-flash.rules) * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules) * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules) * 1:43055 <-> DISABLED <-> SERVER-OTHER Veritas Netbackup bprd remote code execution attempt (server-other.rules) * 1:43054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows IIS buffer overflow attempt (os-windows.rules) * 1:43016 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43053 <-> DISABLED <-> SERVER-SAMBA Samba LDAP modify dnsRecord buffer overflow attempt (server-samba.rules) * 1:43052 <-> DISABLED <-> FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt (file-image.rules) * 1:43050 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric ClearSCADA information disclosure attempt (server-webapp.rules) * 1:43051 <-> DISABLED <-> FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt (file-image.rules) * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection attempt (malware-cnc.rules) * 3:43061 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0352 attack attempt (server-webapp.rules) * 3:43005 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0353 attack attempt (server-webapp.rules) * 3:43060 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0355 attack attempt (server-other.rules)
* 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules) * 1:29518 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP Invalid HTTP Version String (server-webapp.rules) * 1:34796 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt (file-flash.rules) * 1:38077 <-> DISABLED <-> BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt (browser-ie.rules) * 1:34794 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt (file-flash.rules) * 1:38078 <-> DISABLED <-> BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt (browser-ie.rules) * 1:39588 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules) * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules) * 1:39812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules) * 1:39813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules) * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules) * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules) * 3:42434 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42433 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43063 <-> ENABLED <-> MALWARE-CNC Trojan KABOB outbound connection attempt (malware-cnc.rules) * 1:43062 <-> DISABLED <-> SERVER-WEBAPP Cogent Datahub EvalExpresssion remote code execution attempt (server-webapp.rules) * 1:43059 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid DefinedEditText tag memory corruption attempt (file-flash.rules) * 1:43058 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid DefinedEditText tag memory corruption attempt (file-flash.rules) * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules) * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules) * 1:43055 <-> DISABLED <-> SERVER-OTHER Veritas Netbackup bprd remote code execution attempt (server-other.rules) * 1:43054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows IIS buffer overflow attempt (os-windows.rules) * 1:43053 <-> DISABLED <-> SERVER-SAMBA Samba LDAP modify dnsRecord buffer overflow attempt (server-samba.rules) * 1:43052 <-> DISABLED <-> FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt (file-image.rules) * 1:43051 <-> DISABLED <-> FILE-IMAGE Apple Quicktime malformed FPX file memory corruption attempt (file-image.rules) * 1:43050 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric ClearSCADA information disclosure attempt (server-webapp.rules) * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection attempt (malware-cnc.rules) * 1:43048 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt (file-flash.rules) * 1:43047 <-> DISABLED <-> BROWSER-PLUGINS ICONICS SCADA WebHMI ActiveX clsid access attempt (browser-plugins.rules) * 1:43046 <-> DISABLED <-> BROWSER-PLUGINS ICONICS SCADA WebHMI ActiveX clsid access attempt (browser-plugins.rules) * 1:43045 <-> ENABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:43044 <-> DISABLED <-> SERVER-OTHER RaySharp DVR administrative interface access attempt (server-other.rules) * 1:43043 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt (browser-ie.rules) * 1:43042 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON strigify double free attempt (browser-ie.rules) * 1:43041 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager probeName SQL injection attempt (server-webapp.rules) * 1:43040 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager probeName SQL injection attempt (server-webapp.rules) * 1:43039 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager Search query SQL injection attempt (server-webapp.rules) * 1:43038 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager Search query SQL injection attempt (server-webapp.rules) * 1:43037 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager OPM_BVNAME SQL injection attempt (server-webapp.rules) * 1:43036 <-> DISABLED <-> SERVER-WEBAPP ZOHO ManageEngine OpManager OPM_BVNAME SQL injection attempt (server-webapp.rules) * 1:43035 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43034 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43033 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43032 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43031 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43030 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43029 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43028 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43027 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43026 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43025 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43024 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43023 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43022 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43021 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43020 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43019 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43018 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43017 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43016 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43015 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43014 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43013 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43012 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43011 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43010 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43009 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43008 <-> DISABLED <-> BROWSER-PLUGINS Micro Focus Rumba+ ActiveX clsid access attempt (browser-plugins.rules) * 1:43007 <-> DISABLED <-> SERVER-OTHER HP Operations Orchestration unauthorized serialized object attempt (server-other.rules) * 1:43006 <-> DISABLED <-> SERVER-WEBAPP MailStore Server cross site scripting attempt (server-webapp.rules) * 3:43005 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0353 attack attempt (server-webapp.rules) * 3:43061 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0352 attack attempt (server-webapp.rules) * 3:43060 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0355 attack attempt (server-other.rules)
* 1:29518 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules) * 1:2570 <-> DISABLED <-> SERVER-WEBAPP Invalid HTTP Version String (server-webapp.rules) * 1:34794 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt (file-flash.rules) * 1:34796 <-> ENABLED <-> FILE-FLASH Adobe Flash Player JSON stringify memory corruption attempt (file-flash.rules) * 1:38077 <-> DISABLED <-> BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt (browser-ie.rules) * 1:38078 <-> DISABLED <-> BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt (browser-ie.rules) * 1:38934 <-> ENABLED <-> SERVER-WEBAPP Oracle Application Testing Suite actionservlet directory traversal attempt (server-webapp.rules) * 1:39588 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules) * 1:39589 <-> DISABLED <-> SERVER-WEBAPP WebNMS Framework arbitrary file upload attempt (server-webapp.rules) * 1:39812 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:39813 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules) * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules) * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules) * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules) * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules) * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules) * 3:42434 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42433 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules) * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
