Talos has added and modified multiple rules in the browser-chrome, browser-plugins, file-identify, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules) * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules) * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
* 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules) * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules) * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
* 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules) * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules) * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
* 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules) * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules) * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
* 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules) * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules) * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules) * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
* 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules) * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules) * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules) * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
* 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (snort3-malware-other.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (snort3-malware-other.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (snort3-malware-cnc.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (snort3-malware-cnc.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (snort3-malware-cnc.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (snort3-malware-cnc.rules) * 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (snort3-malware-other.rules) * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (snort3-malware-other.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules) * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (snort3-malware-other.rules) * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (snort3-malware-cnc.rules) * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (snort3-malware-other.rules)
* 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (snort3-file-identify.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (snort3-malware-cnc.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (snort3-malware-cnc.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54044 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 1:54042 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54041 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54035 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54036 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Fareitvb-7861078-0 download attempt (malware-other.rules) * 1:54037 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54046 <-> ENABLED <-> MALWARE-CNC Win.Malware.Qealler variant outbound connection (malware-cnc.rules) * 1:54038 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54039 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-7880797-0 download attempt (malware-other.rules) * 1:54040 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant outbound connection (malware-cnc.rules) * 1:54043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Evilnum variant inbound connection (malware-cnc.rules) * 1:54045 <-> ENABLED <-> MALWARE-OTHER Win.Dropper.Evilnum malicious LNK file download attempt (malware-other.rules) * 3:54047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54048 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1084 attack attempt (file-pdf.rules) * 3:54049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54050 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1087 attack attempt (server-webapp.rules) * 3:54051 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules) * 3:54052 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2020-1085 attack attempt (browser-chrome.rules)
* 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules) * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules) * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:18593 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file download request (file-identify.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
