Talos has added and modified multiple rules in the browser-chrome, browser-ie, browser-plugins, browser-webkit, file-image, file-other, malware-cnc, protocol-scada, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules) * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
* 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules) * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules) * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
* 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules) * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules) * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
* 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules) * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules) * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
* 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules) * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules) * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
* 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (snort3-server-webapp.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (snort3-server-other.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (snort3-server-apache.rules) * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (snort3-browser-chrome.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (snort3-malware-cnc.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (snort3-file-other.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (snort3-browser-chrome.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (snort3-malware-cnc.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (snort3-malware-cnc.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (snort3-file-image.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (snort3-malware-cnc.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (snort3-server-webapp.rules) * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (snort3-file-other.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (snort3-protocol-voip.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (snort3-protocol-voip.rules) * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (snort3-server-apache.rules)
* 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (snort3-protocol-voip.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (snort3-protocol-scada.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (snort3-protocol-voip.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (snort3-malware-cnc.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (snort3-file-other.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules) * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (snort3-protocol-voip.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (snort3-server-other.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (snort3-file-other.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (snort3-protocol-voip.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (snort3-malware-cnc.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (snort3-malware-cnc.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)
* 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules) * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules) * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules) * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules) * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules) * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules) * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules) * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules) * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules) * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules) * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
* 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules) * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules) * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules) * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules) * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules) * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules) * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules) * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules) * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
