Talos has added and modified multiple rules in the browser-other, file-other, file-pdf, malware-cnc, malware-other, malware-tools, policy-other, protocol-ftp, pua-other, server-iis, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules) * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules) * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules) * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules) * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules) * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules) * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules) * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules) * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules) * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules) * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules) * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules) * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules) * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules) * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
* 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules) * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules) * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules) * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules) * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules) * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules) * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules) * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules) * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules) * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules) * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules) * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules) * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules) * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules) * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules) * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules) * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules) * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules) * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules)
* 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules) * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules) * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules) * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (snort3-file-other.rules) * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (snort3-server-mysql.rules) * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (snort3-server-oracle.rules) * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules) * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (snort3-malware-cnc.rules) * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (snort3-server-mysql.rules) * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (snort3-malware-cnc.rules) * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (snort3-server-webapp.rules) * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (snort3-malware-cnc.rules) * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (snort3-file-other.rules) * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules) * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (snort3-malware-other.rules) * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules) * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (snort3-server-mysql.rules) * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (snort3-protocol-ftp.rules) * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (snort3-malware-other.rules) * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (snort3-server-mysql.rules) * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (snort3-server-mysql.rules) * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules) * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules) * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules) * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (snort3-server-other.rules) * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules) * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules) * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (snort3-malware-tools.rules) * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules) * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (snort3-pua-other.rules)
* 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (snort3-server-iis.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules) * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (snort3-server-webapp.rules) * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules) * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules) * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules) * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules) * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (snort3-policy-other.rules) * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (snort3-browser-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules) * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules) * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules) * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules) * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules) * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules) * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules) * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules) * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules) * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules) * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules) * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules) * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules) * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules) * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules) * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules) * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
* 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules) * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules) * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules) * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules) * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules) * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules) * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules) * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules) * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules) * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules) * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules) * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules) * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules) * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules) * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules) * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules) * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules) * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules) * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules) * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules) * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules) * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules) * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
* 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules) * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules) * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules) * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules) * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
