Talos has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, browser-webkit, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, malware-other, os-other, os-windows, policy-other, policy-social, protocol-dns, pua-adware, server-other and x11 rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
* 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
* 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
* 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
* 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
* 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
* 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
* 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (snort3-protocol-dns.rules) * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (snort3-server-other.rules) * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (snort3-malware-cnc.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (snort3-protocol-dns.rules) * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules)
* 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (snort3-browser-ie.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (snort3-pua-adware.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (snort3-pua-adware.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (snort3-file-other.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (snort3-server-webapp.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (snort3-browser-webkit.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (snort3-pua-adware.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (snort3-policy-social.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (snort3-indicator-shellcode.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (snort3-app-detect.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (snort3-server-other.rules) * 1:1226 <-> DISABLED <-> X11 xopen (snort3-x11.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (snort3-x11.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (snort3-browser-webkit.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (snort3-server-webapp.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules) * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (snort3-malware-cnc.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (snort3-browser-ie.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (snort3-browser-ie.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (snort3-browser-ie.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (snort3-browser-ie.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (snort3-server-webapp.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (snort3-file-image.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (snort3-file-image.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (snort3-malware-cnc.rules) * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (snort3-os-windows.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (snort3-file-pdf.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (snort3-file-pdf.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (snort3-os-windows.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (snort3-pua-adware.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (snort3-browser-plugins.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (snort3-file-other.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (snort3-file-multimedia.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (snort3-file-office.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (snort3-file-office.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (snort3-pua-adware.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (snort3-file-image.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (snort3-malware-cnc.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (snort3-os-windows.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules) * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules) * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules) * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules) * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules) * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
* 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules) * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules) * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules) * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules) * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules) * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules) * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules) * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules) * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules) * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules) * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules) * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules) * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules) * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules) * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules) * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules) * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules) * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules) * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules) * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules) * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules) * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules) * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules) * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules) * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules) * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules) * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules) * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules) * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules) * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules) * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules) * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules) * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules) * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules) * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
