Talos has added and modified multiple rules in the file-java, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules) * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules) * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)
* 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules) * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules) * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)
* 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules) * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules) * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)
* 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (snort3-file-java.rules) * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules) * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (snort3-file-office.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (snort3-indicator-compromise.rules) * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (snort3-malware-backdoor.rules) * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (snort3-malware-backdoor.rules) * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (snort3-indicator-compromise.rules) * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (snort3-indicator-compromise.rules) * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules) * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (snort3-server-webapp.rules) * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (snort3-server-webapp.rules) * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (snort3-file-java.rules) * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (snort3-malware-tools.rules) * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (snort3-malware-backdoor.rules) * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (snort3-malware-tools.rules) * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (snort3-file-office.rules)
* 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (snort3-file-other.rules) * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (snort3-file-other.rules) * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules) * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules) * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)
* 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50466 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50460 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50463 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50459 <-> DISABLED <-> FILE-JAVA Oracle Java AtomicReferenceFieldUpdater remote code execution attempt (file-java.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50477 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50467 <-> ENABLED <-> INDICATOR-COMPROMISE Mimikatz use via SMB attempt (indicator-compromise.rules) * 1:50461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50464 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner NetServer enumeration attempt (indicator-compromise.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50478 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50491 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 1:50476 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell transfer attempt (malware-backdoor.rules) * 1:50475 <-> ENABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:50462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malicious cce value following a PtgMemFunc token (file-office.rules) * 1:50468 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50479 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.CoinMiner dropper transfer attempt (malware-tools.rules) * 1:50480 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50481 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50482 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50465 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules) * 1:50483 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50484 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.Catwatchful client app variant post-compromise outbound connection detected (malware-cnc.rules) * 1:50490 <-> DISABLED <-> SERVER-WEBAPP TYPO3 PharStreamWrapper Package directory traversal attempt (server-webapp.rules) * 3:50469 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50470 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50471 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50472 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers denial of service attempt (server-webapp.rules) * 3:50485 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50486 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50487 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50488 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site scripting attempt (server-webapp.rules) * 3:50489 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Service Catalog cross site request forgery attempt (server-webapp.rules) * 3:50492 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN Solution command injection attempt (server-webapp.rules)
* 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules) * 1:26496 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 1:26495 <-> DISABLED <-> FILE-OTHER WellinTech KingView KingMessage log file parsing buffer overflow attempt (file-other.rules) * 3:49296 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:49982 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0822 attack attempt (policy-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
