Talos has added and modified multiple rules in the browser-firefox, file-multimedia, file-office, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
SIDs 44989-44990, 45132-45137, 45466-45467, 45511-45512, 46106-46107 provide coverage for CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798. Based on new threat intelligence, we are releasing additional coverage for these CVEs - SIDs 50684, 50685, 50689-50695.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules) * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules) * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules) * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
* 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules) * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules) * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules) * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
* 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules) * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules) * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules) * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
* 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules) * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (snort3-server-webapp.rules) * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules) * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules) * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (snort3-file-office.rules) * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules) * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules) * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (snort3-file-multimedia.rules) * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (snort3-malware-cnc.rules) * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (snort3-server-webapp.rules) * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (snort3-file-multimedia.rules) * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (snort3-file-office.rules) * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules) * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules) * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (snort3-malware-cnc.rules) * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules) * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (snort3-malware-cnc.rules) * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules) * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules) * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (snort3-server-webapp.rules) * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (snort3-server-webapp.rules) * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (snort3-malware-cnc.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules) * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (snort3-malware-other.rules) * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (snort3-malware-other.rules) * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules) * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules)
* 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (snort3-malware-cnc.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (snort3-policy-other.rules) * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (snort3-policy-other.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules) * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules) * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules) * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
* 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules) * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules) * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules) * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules) * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules) * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules) * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules) * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules) * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules) * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules) * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
* 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
