Talos has added and modified multiple rules in the browser-firefox, file-image, file-pdf, netbios, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitary file deletion attempt (os-windows.rules) * 1:48234 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by fiql (server-webapp.rules) * 1:48222 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48221 <-> DISABLED <-> SERVER-OTHER Oracle MySQL uninitialized variable remote code execution attempt (server-other.rules) * 1:48229 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48227 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48228 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48235 <-> ENABLED <-> SERVER-OTHER NUUO NVRMini2 stack based buffer overflow attempt (server-other.rules) * 1:48225 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48224 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48241 <-> ENABLED <-> NETBIOS Cisco WebEx WebExService.exe remote code execution attempt (netbios.rules) * 1:48223 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48226 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48232 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48233 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by orderBy (server-webapp.rules) * 1:48230 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48236 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Responsive Portfolio SQL injection attempt (server-webapp.rules) * 3:48240 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules) * 3:48239 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules)
* 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules) * 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48225 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48235 <-> ENABLED <-> SERVER-OTHER NUUO NVRMini2 stack based buffer overflow attempt (server-other.rules) * 1:48236 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Responsive Portfolio SQL injection attempt (server-webapp.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48232 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48224 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48233 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by orderBy (server-webapp.rules) * 1:48226 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48227 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48222 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48223 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48221 <-> DISABLED <-> SERVER-OTHER Oracle MySQL uninitialized variable remote code execution attempt (server-other.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48228 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48229 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48230 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitary file deletion attempt (os-windows.rules) * 1:48241 <-> ENABLED <-> NETBIOS Cisco WebEx WebExService.exe remote code execution attempt (netbios.rules) * 1:48234 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by fiql (server-webapp.rules) * 3:48239 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules) * 3:48240 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules)
* 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules) * 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48225 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (snort3-browser-firefox.rules) * 1:48222 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (snort3-file-pdf.rules) * 1:48223 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (snort3-file-pdf.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (snort3-server-webapp.rules) * 1:48229 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (snort3-server-webapp.rules) * 1:48233 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by orderBy (snort3-server-webapp.rules) * 1:48230 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (snort3-server-webapp.rules) * 1:48232 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (snort3-server-webapp.rules) * 1:48221 <-> DISABLED <-> SERVER-OTHER Oracle MySQL uninitialized variable remote code execution attempt (snort3-server-other.rules) * 1:48224 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (snort3-browser-firefox.rules) * 1:48227 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (snort3-file-pdf.rules) * 1:48228 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (snort3-server-webapp.rules) * 1:48236 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Responsive Portfolio SQL injection attempt (snort3-server-webapp.rules) * 1:48235 <-> ENABLED <-> SERVER-OTHER NUUO NVRMini2 stack based buffer overflow attempt (snort3-server-other.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitary file deletion attempt (snort3-os-windows.rules) * 1:48234 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by fiql (snort3-server-webapp.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (snort3-os-windows.rules) * 1:48241 <-> ENABLED <-> NETBIOS Cisco WebEx WebExService.exe remote code execution attempt (snort3-netbios.rules) * 1:48226 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (snort3-file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48241 <-> ENABLED <-> NETBIOS Cisco WebEx WebExService.exe remote code execution attempt (netbios.rules) * 1:48226 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitary file deletion attempt (os-windows.rules) * 1:48232 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48223 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48235 <-> ENABLED <-> SERVER-OTHER NUUO NVRMini2 stack based buffer overflow attempt (server-other.rules) * 1:48233 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by orderBy (server-webapp.rules) * 1:48234 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by fiql (server-webapp.rules) * 1:48221 <-> DISABLED <-> SERVER-OTHER Oracle MySQL uninitialized variable remote code execution attempt (server-other.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48229 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48230 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48227 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48228 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48225 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48222 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48224 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48236 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Responsive Portfolio SQL injection attempt (server-webapp.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 3:48240 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules) * 3:48239 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules)
* 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules) * 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48236 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Responsive Portfolio SQL injection attempt (server-webapp.rules) * 1:48225 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48222 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48241 <-> ENABLED <-> NETBIOS Cisco WebEx WebExService.exe remote code execution attempt (netbios.rules) * 1:48234 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by fiql (server-webapp.rules) * 1:48232 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48233 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by orderBy (server-webapp.rules) * 1:48230 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48228 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48229 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48226 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48227 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48224 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48221 <-> DISABLED <-> SERVER-OTHER Oracle MySQL uninitialized variable remote code execution attempt (server-other.rules) * 1:48223 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitary file deletion attempt (os-windows.rules) * 1:48235 <-> ENABLED <-> SERVER-OTHER NUUO NVRMini2 stack based buffer overflow attempt (server-other.rules) * 3:48240 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules) * 3:48239 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules)
* 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules) * 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitary file deletion attempt (os-windows.rules) * 1:48236 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Responsive Portfolio SQL injection attempt (server-webapp.rules) * 1:48235 <-> ENABLED <-> SERVER-OTHER NUUO NVRMini2 stack based buffer overflow attempt (server-other.rules) * 1:48234 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by fiql (server-webapp.rules) * 1:48233 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope information disclosure by orderBy (server-webapp.rules) * 1:48232 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48231 <-> DISABLED <-> SERVER-WEBAPP Apache Syncope XSL transform code injection attempt (server-webapp.rules) * 1:48230 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48229 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48228 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC create_user.cgi command injection attempt (server-webapp.rules) * 1:48227 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48226 <-> DISABLED <-> FILE-PDF Foxit PDF Reader JavaScript annotations use after free attempt (file-pdf.rules) * 1:48225 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48224 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox sandbox escape attempt (browser-firefox.rules) * 1:48223 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48222 <-> DISABLED <-> FILE-PDF Foxit Reader and PhantomPDF use after free exploitation attempt (file-pdf.rules) * 1:48241 <-> ENABLED <-> NETBIOS Cisco WebEx WebExService.exe remote code execution attempt (netbios.rules) * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules) * 1:48221 <-> DISABLED <-> SERVER-OTHER Oracle MySQL uninitialized variable remote code execution attempt (server-other.rules) * 3:48239 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules) * 3:48240 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS precision time protocol denial of service attempt (server-other.rules)
* 3:41372 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules) * 3:41373 <-> ENABLED <-> FILE-IMAGE Oracle Outside In libvs_gif out of bounds write attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
