Talos has added and modified multiple rules in the blacklist, exploit-kit, file-image, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, os-windows, protocol-scada, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43210 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43209 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43208 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules) * 1:43196 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules) * 1:43195 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules) * 1:43201 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules) * 1:43202 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules) * 1:43205 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43204 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules) * 1:43207 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules) * 1:43199 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules) * 1:43198 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules) * 1:43203 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules) * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules) * 1:43217 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit redirection attempt (exploit-kit.rules) * 1:43218 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules) * 1:43219 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules) * 1:43220 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Hotbar (blacklist.rules) * 1:43221 <-> ENABLED <-> MALWARE-OTHER Win.Trojan-Downloader.Jadtree GET request of RAR file to server (malware-other.rules) * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules) * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules) * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules) * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules) * 1:43229 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43197 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules) * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:43236 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43235 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43206 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43234 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43232 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43231 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43233 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43230 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43200 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules) * 3:43211 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0365 attack attempt (server-other.rules) * 3:43214 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules) * 3:43215 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules) * 3:43212 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules) * 3:43213 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules)
* 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules) * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules) * 1:43236 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43235 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43234 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43233 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43232 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43231 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43230 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43229 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules) * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules) * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules) * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules) * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules) * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules) * 1:43221 <-> ENABLED <-> MALWARE-OTHER Win.Trojan-Downloader.Jadtree GET request of RAR file to server (malware-other.rules) * 1:43220 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Hotbar (blacklist.rules) * 1:43219 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules) * 1:43218 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules) * 1:43217 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit redirection attempt (exploit-kit.rules) * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules) * 1:43210 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43209 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43208 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules) * 1:43207 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules) * 1:43206 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43205 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules) * 1:43204 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules) * 1:43203 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules) * 1:43202 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules) * 1:43201 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules) * 1:43200 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules) * 1:43199 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules) * 1:43198 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules) * 1:43197 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules) * 1:43196 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules) * 1:43195 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules) * 3:43211 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0365 attack attempt (server-other.rules) * 3:43212 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules) * 3:43213 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules) * 3:43214 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules) * 3:43215 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules)
* 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules) * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules) * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules) * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules) * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules) * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules) * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules) * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
