Talos Rules 2018-05-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, netbios, os-linux, os-windows, protocol-other, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-05-24 14:51:49 UTC

Snort Subscriber Rules Update

Date: 2018-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46791 <-> DISABLED <-> SERVER-WEBAPP Ruby Net FTP library command injection attempt (server-webapp.rules)
 * 1:46790 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46789 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46788 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46787 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46786 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy initial outbound request (malware-cnc.rules)
 * 1:46785 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string (malware-cnc.rules)
 * 1:46784 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt (server-other.rules)
 * 1:46783 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46782 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46794 <-> ENABLED <-> OS-WINDOWS Malicious vbscript download attempt (os-windows.rules)
 * 1:46793 <-> ENABLED <-> OS-WINDOWS Malicious zip download attempt (os-windows.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:46797 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46796 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper outbound connection (malware-cnc.rules)
 * 1:46795 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper initial outbound connection (malware-cnc.rules)
 * 1:46799 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46798 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46802 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46801 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46800 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46804 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46803 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46805 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)
 * 1:46811 <-> ENABLED <-> FILE-OTHER Microsoft Windows Host Compute Service Shim remote code execution attempt (file-other.rules)
 * 1:46810 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46809 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46808 <-> DISABLED <-> SERVER-WEBAPP PHP .phar cross site scripting attempt (server-webapp.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:46806 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:37961 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:35734 <-> DISABLED <-> SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt (server-webapp.rules)
 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (server-webapp.rules)
 * 1:37960 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P message integer overflow attempt (server-other.rules)
 * 1:44643 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS denial of service attempt (server-other.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules)
 * 1:41751 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41750 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41749 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41748 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules)
 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44373 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (server-other.rules)
 * 1:45001 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information leak attempt (server-webapp.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (server-other.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (indicator-compromise.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:46299 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46298 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46297 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46287 <-> DISABLED <-> SERVER-WEBAPP Linksys E series denial of service attempt (server-webapp.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:26278 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26276 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)
 * 1:26277 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)
 * 1:25949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound data connection (malware-cnc.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (server-webapp.rules)
 * 1:17494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:25589 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 1:46300 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)

2018-05-24 14:51:49 UTC

Snort Subscriber Rules Update

Date: 2018-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46783 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46788 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46785 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string (malware-cnc.rules)
 * 1:46786 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy initial outbound request (malware-cnc.rules)
 * 1:46787 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46789 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46790 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46791 <-> DISABLED <-> SERVER-WEBAPP Ruby Net FTP library command injection attempt (server-webapp.rules)
 * 1:46793 <-> ENABLED <-> OS-WINDOWS Malicious zip download attempt (os-windows.rules)
 * 1:46794 <-> ENABLED <-> OS-WINDOWS Malicious vbscript download attempt (os-windows.rules)
 * 1:46795 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper initial outbound connection (malware-cnc.rules)
 * 1:46796 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper outbound connection (malware-cnc.rules)
 * 1:46797 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46798 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46799 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46800 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46782 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46802 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46801 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46784 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt (server-other.rules)
 * 1:46803 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:46804 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46805 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)
 * 1:46806 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:46808 <-> DISABLED <-> SERVER-WEBAPP PHP .phar cross site scripting attempt (server-webapp.rules)
 * 1:46809 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46810 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46811 <-> ENABLED <-> FILE-OTHER Microsoft Windows Host Compute Service Shim remote code execution attempt (file-other.rules)

Modified Rules:


 * 1:41748 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:37961 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:41749 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41750 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (server-other.rules)
 * 1:41751 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:35734 <-> DISABLED <-> SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt (server-webapp.rules)
 * 1:37960 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P message integer overflow attempt (server-other.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:25589 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:25949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound data connection (malware-cnc.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (indicator-compromise.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (server-webapp.rules)
 * 1:45001 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information leak attempt (server-webapp.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (server-other.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:26277 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46287 <-> DISABLED <-> SERVER-WEBAPP Linksys E series denial of service attempt (server-webapp.rules)
 * 1:46297 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46298 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46299 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:44373 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:26276 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)
 * 1:17494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26278 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (server-webapp.rules)
 * 1:46300 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:44643 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS denial of service attempt (server-other.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules)
 * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules)

2018-05-24 14:51:49 UTC

Snort Subscriber Rules Update

Date: 2018-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46786 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy initial outbound request (snort3-malware-cnc.rules)
 * 1:46783 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (snort3-malware-cnc.rules)
 * 1:46784 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt (snort3-server-other.rules)
 * 1:46782 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (snort3-malware-cnc.rules)
 * 1:46787 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46788 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46789 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46790 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46791 <-> DISABLED <-> SERVER-WEBAPP Ruby Net FTP library command injection attempt (snort3-server-webapp.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (snort3-malware-cnc.rules)
 * 1:46793 <-> ENABLED <-> OS-WINDOWS Malicious zip download attempt (snort3-os-windows.rules)
 * 1:46794 <-> ENABLED <-> OS-WINDOWS Malicious vbscript download attempt (snort3-os-windows.rules)
 * 1:46795 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper initial outbound connection (snort3-malware-cnc.rules)
 * 1:46796 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper outbound connection (snort3-malware-cnc.rules)
 * 1:46797 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:46798 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:46799 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46800 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46801 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46802 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (snort3-server-webapp.rules)
 * 1:46803 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (snort3-server-webapp.rules)
 * 1:46804 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (snort3-server-webapp.rules)
 * 1:46805 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (snort3-server-webapp.rules)
 * 1:46806 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (snort3-server-webapp.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (snort3-malware-other.rules)
 * 1:46808 <-> DISABLED <-> SERVER-WEBAPP PHP .phar cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46809 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (snort3-file-pdf.rules)
 * 1:46810 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (snort3-file-pdf.rules)
 * 1:46811 <-> ENABLED <-> FILE-OTHER Microsoft Windows Host Compute Service Shim remote code execution attempt (snort3-file-other.rules)
 * 1:46785 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string (snort3-malware-cnc.rules)

Modified Rules:


 * 1:41748 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:41751 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:41749 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:37961 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (snort3-browser-ie.rules)
 * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:35734 <-> DISABLED <-> SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt (snort3-server-webapp.rules)
 * 1:41750 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:37960 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P message integer overflow attempt (snort3-server-other.rules)
 * 1:25589 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (snort3-server-other.rules)
 * 1:26278 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (snort3-server-webapp.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (snort3-server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (snort3-server-webapp.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (snort3-server-webapp.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (snort3-server-other.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (snort3-server-other.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (snort3-server-webapp.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (snort3-server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (snort3-server-other.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (snort3-server-webapp.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (snort3-server-webapp.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (snort3-server-other.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (snort3-server-other.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (snort3-server-other.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (snort3-pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (snort3-pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (snort3-pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (snort3-pua-other.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (snort3-server-webapp.rules)
 * 1:26276 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (snort3-server-webapp.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (snort3-server-webapp.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (snort3-server-other.rules)
 * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (snort3-server-other.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (snort3-server-webapp.rules)
 * 1:25949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound data connection (snort3-malware-cnc.rules)
 * 1:17494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (snort3-browser-ie.rules)
 * 1:26277 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (snort3-server-webapp.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (snort3-indicator-compromise.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (snort3-os-linux.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (snort3-server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (snort3-server-other.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46300 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (snort3-server-webapp.rules)
 * 1:44643 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS denial of service attempt (snort3-server-other.rules)
 * 1:46298 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (snort3-server-webapp.rules)
 * 1:46299 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (snort3-server-webapp.rules)
 * 1:46287 <-> DISABLED <-> SERVER-WEBAPP Linksys E series denial of service attempt (snort3-server-webapp.rules)
 * 1:46297 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (snort3-server-webapp.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (snort3-server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (snort3-server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (snort3-netbios.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (snort3-server-webapp.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (snort3-pua-other.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (snort3-pua-other.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (snort3-server-other.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (snort3-server-webapp.rules)
 * 1:45001 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information leak attempt (snort3-server-webapp.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (snort3-server-webapp.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (snort3-server-webapp.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:44373 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (snort3-server-webapp.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (snort3-server-webapp.rules)
 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (snort3-server-webapp.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (snort3-server-other.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (snort3-server-other.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (snort3-server-webapp.rules)

2018-05-24 14:51:49 UTC

Snort Subscriber Rules Update

Date: 2018-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46783 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46784 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt (server-other.rules)
 * 1:46786 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy initial outbound request (malware-cnc.rules)
 * 1:46787 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46788 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46789 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46790 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46791 <-> DISABLED <-> SERVER-WEBAPP Ruby Net FTP library command injection attempt (server-webapp.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:46782 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46793 <-> ENABLED <-> OS-WINDOWS Malicious zip download attempt (os-windows.rules)
 * 1:46794 <-> ENABLED <-> OS-WINDOWS Malicious vbscript download attempt (os-windows.rules)
 * 1:46795 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper initial outbound connection (malware-cnc.rules)
 * 1:46796 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper outbound connection (malware-cnc.rules)
 * 1:46797 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46798 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46799 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46800 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46801 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46802 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46803 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46804 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46805 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)
 * 1:46806 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:46808 <-> DISABLED <-> SERVER-WEBAPP PHP .phar cross site scripting attempt (server-webapp.rules)
 * 1:46809 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46810 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46811 <-> ENABLED <-> FILE-OTHER Microsoft Windows Host Compute Service Shim remote code execution attempt (file-other.rules)
 * 1:46785 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string (malware-cnc.rules)

Modified Rules:


 * 1:41748 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:37961 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:26276 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)
 * 1:41751 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:41749 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41750 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:37960 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P message integer overflow attempt (server-other.rules)
 * 1:44373 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules)
 * 1:35734 <-> DISABLED <-> SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt (server-webapp.rules)
 * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:26278 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:26277 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:25949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound data connection (malware-cnc.rules)
 * 1:25589 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:17494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (indicator-compromise.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (server-other.rules)
 * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (server-webapp.rules)
 * 1:45001 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information leak attempt (server-webapp.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:46300 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:44643 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS denial of service attempt (server-other.rules)
 * 1:46299 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46287 <-> DISABLED <-> SERVER-WEBAPP Linksys E series denial of service attempt (server-webapp.rules)
 * 1:46297 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46298 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (server-other.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (server-webapp.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)

2018-05-24 14:51:49 UTC

Snort Subscriber Rules Update

Date: 2018-05-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46785 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string (malware-cnc.rules)
 * 1:46809 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46791 <-> DISABLED <-> SERVER-WEBAPP Ruby Net FTP library command injection attempt (server-webapp.rules)
 * 1:46788 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46786 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Zebrocy initial outbound request (malware-cnc.rules)
 * 1:46789 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46794 <-> ENABLED <-> OS-WINDOWS Malicious vbscript download attempt (os-windows.rules)
 * 1:46797 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46798 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:46800 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46801 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46802 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46803 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46804 <-> DISABLED <-> SERVER-WEBAPP Anti-Web directory traversal attempt (server-webapp.rules)
 * 1:46806 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)
 * 1:46805 <-> ENABLED <-> SERVER-WEBAPP BA Systems BAS Web information disclosure attempt (server-webapp.rules)
 * 1:46810 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader font enumeration use after free attempt (file-pdf.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:46782 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46787 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46808 <-> DISABLED <-> SERVER-WEBAPP PHP .phar cross site scripting attempt (server-webapp.rules)
 * 1:46811 <-> ENABLED <-> FILE-OTHER Microsoft Windows Host Compute Service Shim remote code execution attempt (file-other.rules)
 * 1:46783 <-> DISABLED <-> MALWARE-CNC vpnfilter SSL connection attempt (malware-cnc.rules)
 * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules)
 * 1:46799 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud snmp_mgr.cgi command injection attempt (server-webapp.rules)
 * 1:46790 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt (malware-cnc.rules)
 * 1:46793 <-> ENABLED <-> OS-WINDOWS Malicious zip download attempt (os-windows.rules)
 * 1:46796 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper outbound connection (malware-cnc.rules)
 * 1:46795 <-> ENABLED <-> MALWARE-CNC Dharma ransomware dropper initial outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:35734 <-> DISABLED <-> SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt (server-webapp.rules)
 * 1:41749 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:25589 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:41699 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:44687 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt (server-webapp.rules)
 * 1:37960 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P message integer overflow attempt (server-other.rules)
 * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:26277 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)
 * 1:26275 <-> DISABLED <-> SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt (server-webapp.rules)
 * 1:25949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound data connection (malware-cnc.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:41750 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:41698 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:37961 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:44699 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules)
 * 1:44643 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS denial of service attempt (server-other.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:41748 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt (pua-other.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules)
 * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules)
 * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:44373 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:46287 <-> DISABLED <-> SERVER-WEBAPP Linksys E series denial of service attempt (server-webapp.rules)
 * 1:46297 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46298 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (server-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:41751 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt (server-webapp.rules)
 * 1:44971 <-> DISABLED <-> SERVER-OTHER QNAP transcode server command injection attempt (server-other.rules)
 * 1:37963 <-> DISABLED <-> INDICATOR-COMPROMISE malicious file download attempt (indicator-compromise.rules)
 * 1:17494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:41700 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt (server-webapp.rules)
 * 1:46299 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:46300 <-> DISABLED <-> SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt (server-webapp.rules)
 * 1:40063 <-> DISABLED <-> OS-LINUX Linux Kernel Challenge ACK provocation attempt (os-linux.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:44688 <-> ENABLED <-> SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt (server-webapp.rules)
 * 1:26278 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules)
 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (server-webapp.rules)
 * 1:45001 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information leak attempt (server-webapp.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules)
 * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules)
 * 1:44698 <-> DISABLED <-> SERVER-WEBAPP Internal field separator use in HTTP URI attempt (server-webapp.rules)
 * 1:26276 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt (server-webapp.rules)