Talos has added and modified multiple rules in the browser-ie, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules) * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules) * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules) * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules) * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
* 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules) * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules) * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules) * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules) * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules) * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules) * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules) * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules) * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules) * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules) * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules) * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules) * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules) * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules) * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules) * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules) * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules) * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules) * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules) * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules) * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules) * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules) * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules) * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules) * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules) * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules) * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules) * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules) * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules) * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules) * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules) * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules) * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules) * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules) * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules) * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules) * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
* 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules) * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules) * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules) * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules) * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules) * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules) * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules) * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules) * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules) * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules) * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules) * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules) * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules) * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules) * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules) * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules) * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules) * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules) * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules) * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules) * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules) * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules) * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules) * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules) * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules) * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules) * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules) * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules) * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules) * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules) * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules) * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules) * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules) * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules) * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules) * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules) * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
* 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules) * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules) * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules) * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules) * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules) * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules) * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules) * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules) * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules) * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules) * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules) * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules) * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules) * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules) * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules) * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules) * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules) * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules) * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules) * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules) * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules) * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules) * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules) * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules) * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules) * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules) * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules) * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules) * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules) * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules) * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules) * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules) * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules) * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules) * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules) * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
* 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules) * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules) * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules) * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules) * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules) * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules) * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules) * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules) * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules) * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules) * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules) * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules) * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules) * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules) * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules) * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules) * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules) * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules) * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules) * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules) * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules) * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules) * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules) * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules) * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules) * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules) * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules) * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules) * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules) * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules) * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules) * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules) * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
* 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules) * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules) * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules) * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules) * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules) * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules) * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules) * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules) * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules) * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules) * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules) * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules) * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules) * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules) * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules) * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules) * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules) * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules) * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules) * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules) * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules) * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules) * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules) * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules) * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules) * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules) * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules) * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules) * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules) * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules) * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules) * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules) * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (snort3-malware-other.rules) * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (snort3-malware-cnc.rules) * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules) * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules) * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules) * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (snort3-malware-other.rules) * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules) * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (snort3-malware-cnc.rules) * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (snort3-malware-cnc.rules) * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
* 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (snort3-server-webapp.rules) * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules) * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules) * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (snort3-server-webapp.rules) * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (snort3-server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (snort3-server-webapp.rules) * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (snort3-server-webapp.rules) * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules) * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (snort3-server-webapp.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (snort3-server-webapp.rules) * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (snort3-server-webapp.rules) * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (snort3-server-webapp.rules) * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules) * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (snort3-server-webapp.rules) * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (snort3-server-webapp.rules) * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (snort3-server-webapp.rules) * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (snort3-server-webapp.rules) * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (snort3-server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules) * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (snort3-server-webapp.rules) * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (snort3-server-webapp.rules) * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (snort3-server-webapp.rules) * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (snort3-server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (snort3-server-webapp.rules) * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (snort3-server-webapp.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (snort3-server-webapp.rules) * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules) * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (snort3-server-webapp.rules) * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (snort3-server-webapp.rules) * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (snort3-server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (snort3-server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (snort3-server-webapp.rules) * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (snort3-server-webapp.rules) * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (snort3-server-webapp.rules) * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (snort3-server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (snort3-server-webapp.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (snort3-server-webapp.rules) * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (snort3-server-webapp.rules) * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (snort3-server-webapp.rules) * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (snort3-server-webapp.rules) * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (snort3-server-webapp.rules) * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (snort3-server-webapp.rules) * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (snort3-server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (snort3-server-webapp.rules) * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (snort3-server-webapp.rules) * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (snort3-server-webapp.rules) * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (snort3-server-webapp.rules) * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (snort3-server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (snort3-server-webapp.rules) * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (snort3-server-webapp.rules) * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (snort3-server-webapp.rules) * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (snort3-server-webapp.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (snort3-server-webapp.rules) * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (snort3-server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (snort3-server-webapp.rules) * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (snort3-server-webapp.rules) * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (snort3-server-webapp.rules) * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (snort3-server-webapp.rules) * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (snort3-server-webapp.rules) * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (snort3-server-webapp.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (snort3-server-webapp.rules) * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (snort3-server-webapp.rules) * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (snort3-server-webapp.rules) * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (snort3-server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (snort3-server-webapp.rules) * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (snort3-server-webapp.rules) * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules) * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (snort3-browser-ie.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (snort3-server-webapp.rules) * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (snort3-server-webapp.rules) * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (snort3-browser-ie.rules) * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (snort3-server-webapp.rules) * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules) * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (snort3-server-webapp.rules) * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (snort3-server-webapp.rules) * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (snort3-server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (snort3-server-webapp.rules) * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (snort3-server-webapp.rules) * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (snort3-server-webapp.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (snort3-server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (snort3-server-webapp.rules) * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (snort3-server-webapp.rules) * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules) * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules) * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules) * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules) * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules) * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules) * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
* 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules) * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules) * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules) * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules) * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules) * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules) * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules) * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules) * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules) * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules) * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules) * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules) * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules) * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules) * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules) * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules) * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules) * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules) * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules) * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules) * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules) * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules) * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules) * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules) * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules) * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules) * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules) * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules) * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules) * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules) * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules) * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules) * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules) * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules) * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules) * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules) * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules) * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules) * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules) * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules) * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules) * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules) * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules) * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules) * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules) * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules) * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules) * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules) * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules) * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules) * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules) * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules) * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules) * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules) * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules) * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules) * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules) * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules) * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
