Talos has added and modified multiple rules in the file-office, file-other, malware-cnc, malware-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules)
* 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules)
* 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules)
* 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules)
* 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules)
* 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules)
* 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules)
* 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (snort3-malware-other.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (snort3-policy-other.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (snort3-os-windows.rules) * 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (snort3-os-windows.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (snort3-malware-other.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (snort3-policy-other.rules)
* 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules) * 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (snort3-malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56224 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56223 <-> DISABLED <-> POLICY-OTHER PyYAML Python object serialization attempt (policy-other.rules) * 1:56215 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 1:56231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Cryptography Driver privilege escalation attempt (os-windows.rules) * 1:56214 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Zusy-9786645-0 download attempt (malware-other.rules) * 3:56216 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56221 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56229 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56225 <-> ENABLED <-> SERVER-OTHER Cisco Webex Meetings virtual channel remote code execution attempt (server-other.rules) * 3:56227 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56222 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client arbitrary code execution attempt (file-other.rules) * 3:56217 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player out of bounds write attempt (file-other.rules) * 3:56228 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56220 <-> ENABLED <-> SERVER-WEBAPP Cisco SD-WAN vManage directory traversal attempt (server-webapp.rules) * 3:56218 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules) * 3:56226 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2020-1190 attack attempt (file-office.rules) * 3:56219 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player buffer overflow attempt (file-other.rules)
* 1:48281 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo downloader connection (malware-cnc.rules) * 1:48286 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48284 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48285 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48282 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 1:48283 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Chalubo outbound connection (malware-cnc.rules) * 3:39878 <-> ENABLED <-> SERVER-OTHER Cisco IOS truncated NTP packet processing denial of service attempt (server-other.rules) * 3:44986 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0486 attack attempt (server-other.rules) * 3:46740 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules) * 3:46741 <-> ENABLED <-> SERVER-WEBAPP Kubernetes Kubelet arbitrary command execution attempt (server-webapp.rules) * 3:47698 <-> ENABLED <-> SERVER-WEBAPP Cisco Integrated Management Controller command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
