Talos has added and modified multiple rules in the browser-webkit, file-flash, file-other, file-pdf, indicator-compromise, malware-cnc, os-linux, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules) * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules) * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules) * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules) * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules) * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
* 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules) * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules) * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules) * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules) * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules) * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
* 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules) * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules) * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules) * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules) * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules) * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
* 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (snort3-browser-webkit.rules) * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (snort3-policy-other.rules) * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (snort3-file-other.rules) * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (snort3-file-other.rules) * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (snort3-browser-webkit.rules) * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (snort3-policy-other.rules) * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (snort3-policy-other.rules) * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules) * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules) * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (snort3-malware-cnc.rules) * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (snort3-malware-cnc.rules) * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (snort3-indicator-compromise.rules) * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (snort3-malware-cnc.rules) * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (snort3-malware-cnc.rules) * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (snort3-os-windows.rules) * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (snort3-os-windows.rules) * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (snort3-file-other.rules) * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules) * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules) * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules) * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules) * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules) * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules) * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (snort3-malware-cnc.rules) * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules) * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (snort3-os-linux.rules) * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (snort3-policy-other.rules) * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules) * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules) * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (snort3-policy-other.rules) * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules) * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (snort3-file-pdf.rules) * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (snort3-file-pdf.rules) * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules) * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules) * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules) * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (snort3-file-other.rules)
* 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (snort3-file-flash.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (snort3-file-flash.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (snort3-file-flash.rules) * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (snort3-server-webapp.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (snort3-file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules) * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules) * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules) * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules) * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules) * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
* 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules) * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules) * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules) * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules) * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules) * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules) * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules) * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules) * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules) * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules) * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules) * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules) * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules) * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules) * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules) * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules) * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules) * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules) * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules) * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules) * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
* 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules) * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules) * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules) * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
