Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50629 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules) * 1:50627 <-> ENABLED <-> OS-WINDOWS Microsoft SMB Trans secondary out of bounds write attempt (os-windows.rules) * 1:50626 <-> ENABLED <-> OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt (os-windows.rules) * 1:50625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Transaction heap groom attempt (os-windows.rules) * 1:50655 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50654 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50649 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50648 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50647 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50646 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50645 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50644 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50643 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50642 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50641 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50640 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50639 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50638 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50635 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50634 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant outbound connection (malware-cnc.rules) * 1:50633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NTLM tampering attempt (os-windows.rules) * 1:50632 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50631 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50630 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules) * 1:50657 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50656 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross-site scripting attempt (server-webapp.rules) * 3:50622 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance denial of service attempt (server-webapp.rules) * 3:50623 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50624 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50637 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules) * 3:50650 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50651 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50652 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50653 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules)
* 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50655 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50632 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50644 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Transaction heap groom attempt (os-windows.rules) * 1:50627 <-> ENABLED <-> OS-WINDOWS Microsoft SMB Trans secondary out of bounds write attempt (os-windows.rules) * 1:50634 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant outbound connection (malware-cnc.rules) * 1:50630 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50642 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50643 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50645 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50646 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules) * 1:50631 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50657 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50656 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross-site scripting attempt (server-webapp.rules) * 1:50647 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50648 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50649 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50626 <-> ENABLED <-> OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt (os-windows.rules) * 1:50629 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NTLM tampering attempt (os-windows.rules) * 1:50640 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50641 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50638 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50639 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50635 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50654 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules) * 3:50622 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance denial of service attempt (server-webapp.rules) * 3:50623 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50624 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50637 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules) * 3:50650 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50651 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50652 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50653 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules)
* 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50655 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50632 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50631 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50656 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross-site scripting attempt (server-webapp.rules) * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules) * 1:50657 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50648 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50649 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50646 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50647 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50645 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50627 <-> ENABLED <-> OS-WINDOWS Microsoft SMB Trans secondary out of bounds write attempt (os-windows.rules) * 1:50644 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50630 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Transaction heap groom attempt (os-windows.rules) * 1:50642 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50629 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50643 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50634 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant outbound connection (malware-cnc.rules) * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules) * 1:50633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NTLM tampering attempt (os-windows.rules) * 1:50640 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50641 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50638 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50639 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50635 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50654 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50626 <-> ENABLED <-> OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt (os-windows.rules) * 3:50622 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance denial of service attempt (server-webapp.rules) * 3:50623 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50624 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50637 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules) * 3:50650 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50651 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50652 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50653 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules)
* 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (snort3-policy-other.rules) * 1:50636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (snort3-malware-cnc.rules) * 1:50629 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (snort3-malware-other.rules) * 1:50631 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (snort3-malware-other.rules) * 1:50633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NTLM tampering attempt (snort3-os-windows.rules) * 1:50635 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (snort3-malware-cnc.rules) * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (snort3-os-windows.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (snort3-policy-other.rules) * 1:50648 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (snort3-server-webapp.rules) * 1:50654 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (snort3-server-webapp.rules) * 1:50656 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross-site scripting attempt (snort3-server-webapp.rules) * 1:50657 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (snort3-server-webapp.rules) * 1:50655 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (snort3-server-webapp.rules) * 1:50646 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (snort3-server-webapp.rules) * 1:50626 <-> ENABLED <-> OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt (snort3-os-windows.rules) * 1:50647 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (snort3-server-webapp.rules) * 1:50639 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (snort3-server-webapp.rules) * 1:50634 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant outbound connection (snort3-malware-cnc.rules) * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (snort3-server-webapp.rules) * 1:50632 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (snort3-malware-other.rules) * 1:50644 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (snort3-malware-other.rules) * 1:50645 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (snort3-malware-other.rules) * 1:50638 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (snort3-server-webapp.rules) * 1:50643 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (snort3-file-other.rules) * 1:50640 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (snort3-server-webapp.rules) * 1:50641 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (snort3-server-webapp.rules) * 1:50642 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (snort3-file-other.rules) * 1:50627 <-> ENABLED <-> OS-WINDOWS Microsoft SMB Trans secondary out of bounds write attempt (snort3-os-windows.rules) * 1:50625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Transaction heap groom attempt (snort3-os-windows.rules) * 1:50649 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (snort3-server-webapp.rules) * 1:50630 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (snort3-malware-other.rules)
* 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50647 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50634 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant outbound connection (malware-cnc.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50655 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50640 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50630 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50632 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50635 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50648 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50649 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50645 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50654 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50657 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50646 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50656 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross-site scripting attempt (server-webapp.rules) * 1:50633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NTLM tampering attempt (os-windows.rules) * 1:50641 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50643 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Transaction heap groom attempt (os-windows.rules) * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules) * 1:50626 <-> ENABLED <-> OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt (os-windows.rules) * 1:50639 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50627 <-> ENABLED <-> OS-WINDOWS Microsoft SMB Trans secondary out of bounds write attempt (os-windows.rules) * 1:50642 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50631 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50629 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules) * 1:50644 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50638 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 3:50622 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance denial of service attempt (server-webapp.rules) * 3:50623 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50624 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50637 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules) * 3:50650 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50651 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50652 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50653 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules)
* 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50657 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NTLM tampering attempt (os-windows.rules) * 1:50631 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50632 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50627 <-> ENABLED <-> OS-WINDOWS Microsoft SMB Trans secondary out of bounds write attempt (os-windows.rules) * 1:50634 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant outbound connection (malware-cnc.rules) * 1:50655 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50656 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross-site scripting attempt (server-webapp.rules) * 1:50639 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50640 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50645 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 1:50629 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50626 <-> ENABLED <-> OS-WINDOWS Microsoft Windows raw WriteAndX InData pointer adjustment attempt (os-windows.rules) * 1:50654 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS cross site scripting attempt (server-webapp.rules) * 1:50649 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50647 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50646 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB Transaction heap groom attempt (os-windows.rules) * 1:50641 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50648 <-> ENABLED <-> SERVER-WEBAPP NUUO NVRmini upgrade_handle.php command injection attempt (server-webapp.rules) * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules) * 1:50642 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50643 <-> DISABLED <-> FILE-OTHER Adobe Director rscL chunk parsing denial of service attempt (file-other.rules) * 1:50635 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50658 <-> DISABLED <-> SERVER-WEBAPP Sitefinity WCMS arbitrary file upload attempt (server-webapp.rules) * 1:50630 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bemstour download attempt (malware-other.rules) * 1:50636 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix variant download attempt (malware-cnc.rules) * 1:50638 <-> DISABLED <-> SERVER-WEBAPP WIFICAM Wireless IP Camera command injection attempt (server-webapp.rules) * 1:50644 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Ryuk variant download attempt (malware-other.rules) * 3:50622 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance denial of service attempt (server-webapp.rules) * 3:50623 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50624 <-> ENABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules) * 3:50637 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules) * 3:50650 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50651 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50652 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules) * 3:50653 <-> ENABLED <-> SERVER-WEBAPP Cisco Enterprise NFV command injection attempt (server-webapp.rules)
* 1:18434 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader plugin ace.dll dll-load exploit attempt (file-other.rules) * 1:50473 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50474 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
