Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-other, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules) * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules) * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)
* 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules) * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules) * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules) * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules) * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)
* 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules) * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules) * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules) * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules) * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)
* 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules) * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (snort3-malware-cnc.rules) * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules) * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules) * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules) * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules) * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (snort3-indicator-obfuscation.rules)
* 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules) * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (snort3-server-webapp.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules) * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules) * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules) * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules) * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)
* 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules) * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules) * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules) * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules) * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules) * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules)
* 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules) * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules) * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules) * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
