Talos has added and modified multiple rules in the file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
* 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
* 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
* 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
* 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
* 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules)
* 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
* 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (snort3-server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (snort3-server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (snort3-server-webapp.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (snort3-server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (snort3-server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (snort3-server-webapp.rules) * 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (snort3-server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (snort3-malware-cnc.rules)
* 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (snort3-server-webapp.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (snort3-malware-cnc.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (snort3-malware-cnc.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (snort3-server-webapp.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (snort3-malware-cnc.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (snort3-server-webapp.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (snort3-malware-cnc.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (snort3-file-other.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (snort3-malware-cnc.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:55834 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55835 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme cross site scripting attempt (server-webapp.rules) * 1:55836 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55837 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55838 <-> DISABLED <-> SERVER-WEBAPP Wordpress Nexos theme SQL injection attempt (server-webapp.rules) * 1:55839 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:55840 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:55841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 3:55843 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55842 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1156 attack attempt (file-pdf.rules) * 3:55844 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules) * 3:55845 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1155 attack attempt (file-other.rules)
* 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:50049 <-> ENABLED <-> MALWARE-CNC Win.Dropper.FormBook variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:46825 <-> ENABLED <-> SERVER-WEBAPP Multiple products DVR admin password leak attempt (server-webapp.rules) * 1:46723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:48804 <-> DISABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:46826 <-> DISABLED <-> SERVER-WEBAPP Multiple products DVR arbitrary command execution attempt (server-webapp.rules) * 1:49076 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:52620 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules) * 1:46724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:49080 <-> ENABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules) * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules) * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules) * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
