Talos has added and modified multiple rules in the deleted, file-pdf, malware-cnc, malware-other, netbios, os-linux, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules) * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules) * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules) * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules) * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules) * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules) * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules) * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules) * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
* 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules) * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules) * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules) * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules) * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules) * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules) * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules) * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules) * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules) * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules) * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
* 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules) * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (snort3-server-mail.rules) * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (snort3-malware-cnc.rules) * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (snort3-server-mail.rules) * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules) * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (snort3-netbios.rules) * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (snort3-server-mail.rules) * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (snort3-malware-cnc.rules) * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules) * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (snort3-deleted.rules) * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules) * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules) * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (snort3-malware-cnc.rules) * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules) * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules) * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (snort3-deleted.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules) * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (snort3-os-linux.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (snort3-server-webapp.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules) * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (snort3-server-webapp.rules) * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (snort3-server-webapp.rules) * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (snort3-server-webapp.rules) * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (snort3-malware-cnc.rules) * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules) * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (snort3-deleted.rules) * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules) * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (snort3-malware-cnc.rules) * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (snort3-malware-cnc.rules) * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (snort3-deleted.rules)
* 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules) * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules) * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules) * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules) * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (snort3-netbios.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (snort3-malware-other.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (snort3-malware-other.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (snort3-malware-other.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (snort3-server-webapp.rules) * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules) * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules) * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules) * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules) * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules) * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules) * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules) * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules) * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules) * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules) * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
* 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46573 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100517 (deleted.rules) * 1:46571 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100515 (deleted.rules) * 1:46569 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100513 (deleted.rules) * 1:46567 <-> DISABLED <-> DELETED SERVER-OTHER junky junk 100511 (deleted.rules) * 1:46628 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46622 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46621 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter arbitrary file upload attempt (server-webapp.rules) * 1:46620 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server image converter information leak attempt (server-webapp.rules) * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules) * 1:46612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unruy outbound callout (malware-cnc.rules) * 1:46611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:46609 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackIce variant outbound connection (malware-cnc.rules) * 1:46608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules) * 1:46637 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:46636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection (malware-cnc.rules) * 1:46633 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46632 <-> DISABLED <-> SERVER-MAIL Office 365 ATP Safe Links bypass attempt (server-mail.rules) * 1:46631 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46630 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 1:46629 <-> ENABLED <-> MALWARE-CNC Rubella Macro Builder generated payload (malware-cnc.rules) * 3:46634 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules) * 3:46635 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0592 attack attempt (file-pdf.rules)
* 1:16418 <-> DISABLED <-> NETBIOS SMB client NULL deref race condition attempt (netbios.rules) * 1:33166 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:33168 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:45484 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt (malware-other.rules) * 1:45485 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt (malware-other.rules) * 1:45486 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Samsam upload attempt (malware-other.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:33169 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 1:33167 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails arbitrary Ruby object deserialization attempt (server-webapp.rules) * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
