Talos has added and modified multiple rules in the browser-firefox, exploit-kit, file-office, file-other, indicator-compromise, malware-backdoor, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50508 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell upload attempt (malware-backdoor.rules) * 1:50507 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell outbound connection attempt (malware-backdoor.rules) * 1:50506 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50505 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50517 <-> ENABLED <-> INDICATOR-COMPROMISE undocumented SMB dialect request attempt (indicator-compromise.rules) * 1:50511 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit browser exploit page detected (exploit-kit.rules) * 1:50510 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50509 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 3:50512 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager authentication bypass attempt (server-webapp.rules) * 3:50513 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary WAR file upload attempt (server-webapp.rules) * 3:50514 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary file download attempt (server-webapp.rules) * 3:50515 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager information disclosure attempt (server-webapp.rules) * 3:50516 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0849 attack attempt (protocol-other.rules)
* 1:29212 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29209 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49285 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 1:49286 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 1:29207 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29208 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50510 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50509 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50508 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell upload attempt (malware-backdoor.rules) * 1:50505 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50517 <-> ENABLED <-> INDICATOR-COMPROMISE undocumented SMB dialect request attempt (indicator-compromise.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50506 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50507 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell outbound connection attempt (malware-backdoor.rules) * 1:50511 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit browser exploit page detected (exploit-kit.rules) * 3:50512 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager authentication bypass attempt (server-webapp.rules) * 3:50513 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary WAR file upload attempt (server-webapp.rules) * 3:50514 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary file download attempt (server-webapp.rules) * 3:50515 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager information disclosure attempt (server-webapp.rules) * 3:50516 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0849 attack attempt (protocol-other.rules)
* 1:29209 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49285 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 1:29207 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29208 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49286 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 1:29212 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50509 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50511 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit browser exploit page detected (exploit-kit.rules) * 1:50507 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell outbound connection attempt (malware-backdoor.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50508 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell upload attempt (malware-backdoor.rules) * 1:50505 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50506 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50510 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50517 <-> ENABLED <-> INDICATOR-COMPROMISE undocumented SMB dialect request attempt (indicator-compromise.rules) * 3:50516 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0849 attack attempt (protocol-other.rules) * 3:50515 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager information disclosure attempt (server-webapp.rules) * 3:50513 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary WAR file upload attempt (server-webapp.rules) * 3:50512 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager authentication bypass attempt (server-webapp.rules) * 3:50514 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary file download attempt (server-webapp.rules)
* 1:29212 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29209 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49286 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 1:29207 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29208 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49285 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50509 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (snort3-exploit-kit.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules) * 1:50507 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell outbound connection attempt (snort3-malware-backdoor.rules) * 1:50505 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (snort3-malware-tools.rules) * 1:50517 <-> ENABLED <-> INDICATOR-COMPROMISE undocumented SMB dialect request attempt (snort3-indicator-compromise.rules) * 1:50506 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (snort3-malware-tools.rules) * 1:50510 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (snort3-exploit-kit.rules) * 1:50511 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit browser exploit page detected (snort3-exploit-kit.rules) * 1:50508 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell upload attempt (snort3-malware-backdoor.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules)
* 1:29212 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (snort3-file-other.rules) * 1:49286 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (snort3-file-office.rules) * 1:29208 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (snort3-file-other.rules) * 1:29207 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (snort3-file-other.rules) * 1:49285 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (snort3-file-office.rules) * 1:29209 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50506 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50509 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50507 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell outbound connection attempt (malware-backdoor.rules) * 1:50510 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50517 <-> ENABLED <-> INDICATOR-COMPROMISE undocumented SMB dialect request attempt (indicator-compromise.rules) * 1:50505 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50508 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell upload attempt (malware-backdoor.rules) * 1:50511 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit browser exploit page detected (exploit-kit.rules) * 3:50514 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary file download attempt (server-webapp.rules) * 3:50516 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0849 attack attempt (protocol-other.rules) * 3:50512 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager authentication bypass attempt (server-webapp.rules) * 3:50515 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager information disclosure attempt (server-webapp.rules) * 3:50513 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary WAR file upload attempt (server-webapp.rules)
* 1:49286 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 1:29207 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29208 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29212 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29209 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49285 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50505 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50511 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit browser exploit page detected (exploit-kit.rules) * 1:50507 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell outbound connection attempt (malware-backdoor.rules) * 1:50517 <-> ENABLED <-> INDICATOR-COMPROMISE undocumented SMB dialect request attempt (indicator-compromise.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50509 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 1:50506 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules) * 1:50508 <-> ENABLED <-> MALWARE-BACKDOOR WebShellOrb PHP shell upload attempt (malware-backdoor.rules) * 1:50510 <-> ENABLED <-> EXPLOIT-KIT Spelevo Exploit Kit landing page detected (exploit-kit.rules) * 3:50514 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary file download attempt (server-webapp.rules) * 3:50516 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0849 attack attempt (protocol-other.rules) * 3:50513 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager arbitrary WAR file upload attempt (server-webapp.rules) * 3:50512 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager authentication bypass attempt (server-webapp.rules) * 3:50515 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager information disclosure attempt (server-webapp.rules)
* 1:29208 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29207 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49285 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 1:29209 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:29212 <-> DISABLED <-> FILE-OTHER RealNetworks RealPlayer RMP file heap buffer overflow attempt (file-other.rules) * 1:49286 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
