Talos has added and modified multiple rules in the browser-ie, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules) * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules) * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules) * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules) * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
* 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules) * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules) * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules)
* 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (snort3-server-webapp.rules) * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (snort3-file-other.rules) * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules) * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (snort3-file-other.rules) * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (snort3-file-other.rules) * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (snort3-file-pdf.rules) * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules) * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (snort3-file-other.rules) * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules) * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (snort3-file-pdf.rules) * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules) * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules) * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (snort3-malware-other.rules) * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (snort3-malware-other.rules) * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules) * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (snort3-malware-other.rules) * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (snort3-file-pdf.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (snort3-server-webapp.rules) * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules) * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (snort3-file-pdf.rules) * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules) * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (snort3-malware-cnc.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules) * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules) * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (snort3-malware-other.rules) * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules) * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (snort3-malware-other.rules) * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (snort3-malware-other.rules) * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (snort3-malware-other.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (snort3-indicator-compromise.rules) * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (snort3-malware-other.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (snort3-indicator-compromise.rules) * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (snort3-malware-other.rules) * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
* 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (snort3-indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (snort3-indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (snort3-indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (snort3-indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (snort3-indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (snort3-indicator-compromise.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (snort3-indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (snort3-indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (snort3-indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (snort3-indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (snort3-indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (snort3-indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (snort3-indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (snort3-indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (snort3-indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (snort3-indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (snort3-indicator-compromise.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (snort3-server-other.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (snort3-file-image.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (snort3-file-image.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (snort3-indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (snort3-indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (snort3-indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (snort3-indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (snort3-indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (snort3-indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (snort3-indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (snort3-indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (snort3-indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (snort3-indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (snort3-indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (snort3-indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (snort3-indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (snort3-indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (snort3-indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (snort3-indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (snort3-indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (snort3-indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (snort3-indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (snort3-indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (snort3-indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (snort3-indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (snort3-indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (snort3-indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (snort3-indicator-compromise.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules) * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules) * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules) * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules)
* 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules) * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules) * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules) * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules) * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules)
* 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48715 <-> ENABLED <-> MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt (malware-other.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48712 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48711 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48710 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48709 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file image-load out-of-bounds read attempt (file-other.rules) * 1:48708 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48707 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader heap overflow attempt (file-pdf.rules) * 1:48706 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48705 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules) * 1:48718 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt (malware-other.rules) * 1:48717 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48716 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.MagentoCore infected page detected (malware-other.rules) * 1:48721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48720 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48719 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected (malware-other.rules) * 1:48722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48746 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48745 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules) * 1:48744 <-> DISABLED <-> SERVER-WEBAPP TRENDnet TEW-673GRU apply.cgi start_arpping command injection attempt (server-webapp.rules) * 1:48743 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48742 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48741 <-> ENABLED <-> MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt (malware-other.rules) * 1:48740 <-> DISABLED <-> SERVER-WEBAPP Tridium Niagara default administrator account login attempt (server-webapp.rules) * 1:48739 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48738 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro memory corruption attempt (file-pdf.rules) * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules) * 1:48734 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48733 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zekapab variant outbound connection (malware-cnc.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
* 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules) * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns query (indicator-compromise.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
