Talos has added and modified multiple rules in the browser-chrome, browser-plugins, deleted, file-multimedia, file-office, file-other, malware-cnc, policy-other, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules) * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules) * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules) * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules) * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules) * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules) * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules) * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules) * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules) * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules) * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules) * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules) * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules) * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
* 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules) * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules) * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules) * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules) * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules) * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules) * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules) * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules) * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules) * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules) * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules) * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules) * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules) * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules) * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules) * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
* 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules) * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules) * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (snort3-server-other.rules) * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (snort3-file-office.rules) * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (snort3-server-webapp.rules) * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (snort3-file-other.rules) * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (snort3-server-other.rules) * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (snort3-deleted.rules) * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (snort3-server-other.rules) * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (snort3-server-other.rules) * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (snort3-server-webapp.rules) * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (snort3-server-webapp.rules) * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (snort3-file-multimedia.rules) * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (snort3-deleted.rules) * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (snort3-server-webapp.rules) * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (snort3-server-webapp.rules) * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (snort3-malware-cnc.rules) * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (snort3-deleted.rules) * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules) * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (snort3-file-office.rules) * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules) * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (snort3-malware-cnc.rules) * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (snort3-malware-cnc.rules) * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (snort3-protocol-ftp.rules) * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (snort3-server-other.rules) * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (snort3-server-webapp.rules) * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (snort3-server-webapp.rules) * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (snort3-server-webapp.rules) * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (snort3-server-webapp.rules) * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (snort3-policy-other.rules) * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (snort3-file-other.rules) * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (snort3-server-webapp.rules) * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (snort3-file-other.rules) * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (snort3-server-webapp.rules) * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (snort3-server-other.rules) * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (snort3-server-webapp.rules) * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (snort3-server-webapp.rules)
* 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (snort3-malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (snort3-malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (snort3-malware-cnc.rules) * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (snort3-malware-cnc.rules) * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules) * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules) * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules) * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules) * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules) * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules) * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules) * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules) * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules) * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules) * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules) * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules) * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules) * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
* 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules) * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules) * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules) * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules) * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules) * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules) * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules) * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules) * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules) * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules) * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules) * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules) * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules) * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules) * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules) * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules) * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules) * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules) * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules) * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules) * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules) * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules) * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules) * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules) * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules) * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
* 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules) * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules) * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules) * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules) * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules) * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
