Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules) * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules) * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules) * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules) * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules) * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules) * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules) * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules) * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules) * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules) * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules) * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules) * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules)
* 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules) * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules) * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules) * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules) * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules) * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules) * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules) * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules) * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules) * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules) * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules) * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules) * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules)
* 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules) * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules) * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (snort3-malware-cnc.rules) * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (snort3-server-webapp.rules) * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (snort3-server-webapp.rules) * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules) * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (snort3-malware-cnc.rules) * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (snort3-malware-cnc.rules) * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (snort3-server-webapp.rules) * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (snort3-server-webapp.rules) * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (snort3-malware-cnc.rules) * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (snort3-malware-other.rules) * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (snort3-malware-cnc.rules) * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (snort3-malware-cnc.rules) * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (snort3-server-webapp.rules) * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (snort3-server-webapp.rules) * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (snort3-server-webapp.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (snort3-server-webapp.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (snort3-server-webapp.rules) * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (snort3-malware-cnc.rules) * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (snort3-server-webapp.rules) * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (snort3-server-webapp.rules) * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules) * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules) * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (snort3-os-windows.rules) * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (snort3-os-windows.rules) * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (snort3-os-windows.rules) * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules)
* 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (snort3-malware-cnc.rules) * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules) * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules) * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules) * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules) * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules) * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules) * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules) * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules) * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules) * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules) * 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules) * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules) * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules)
* 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46824 <-> DISABLED <-> SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt (server-webapp.rules) * 1:46823 <-> ENABLED <-> SERVER-WEBAPP Spring Security OAuth remote code execution attempt (server-webapp.rules) * 1:46822 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud raid_cgi.php arbitrary command execution attempt (server-webapp.rules) * 1:46821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.N40 variant outbound connection (malware-cnc.rules) * 1:46820 <-> ENABLED <-> MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt (malware-cnc.rules) * 1:46819 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Satan payload download (malware-other.rules) * 1:46818 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Satan outbound connection (malware-cnc.rules) * 1:46817 <-> DISABLED <-> SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt (server-webapp.rules) * 1:46816 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46815 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46814 <-> DISABLED <-> SERVER-WEBAPP Western Digital MyCloud login_mgr.cgi command injection attempt (server-webapp.rules) * 1:46813 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46812 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46838 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vega variant outbound connection detected (malware-cnc.rules) * 1:46837 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules) * 1:46836 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Vega variant outbound connection detected (malware-cnc.rules) * 1:46835 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46834 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules) * 1:46832 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ROP gadget locate attempt (os-windows.rules) * 1:46831 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46830 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel privilege escalation attempt (os-windows.rules) * 1:46829 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46828 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-620 index.cgi command injection attempt (server-webapp.rules) * 1:46827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dunihi outbound connection (malware-cnc.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules)
* 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:28817 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
