Talos has added and modified multiple rules in the file-image, file-other, file-pdf, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules) * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules) * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules) * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules) * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules)
* 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules) * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules) * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules) * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules) * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules) * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
* 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules) * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules) * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules) * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules) * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules) * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules) * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules)
* 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules) * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules) * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules) * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules) * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules) * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules) * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules) * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules) * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
* 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules) * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules) * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules) * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules) * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
