Talos has added and modified multiple rules in the file-pdf, malware-cnc, protocol-dns, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules)
* 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules) * 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules)
* 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules) * 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules)
* 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules) * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules)
* 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules) * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules)
* 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules) * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules)
* 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules) * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules)
* 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules) * 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules)
* 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules) * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules)
* 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules) * 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules)
* 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules) * 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (snort3-protocol-other.rules) * 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (snort3-protocol-dns.rules) * 1:300060 <-> ENABLED <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt (snort3-native.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (snort3-file-pdf.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (snort3-protocol-other.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (snort3-malware-cnc.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (snort3-server-apache.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (snort3-file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (snort3-server-webapp.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (snort3-file-pdf.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (snort3-server-apache.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (snort3-malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (snort3-malware-cnc.rules) * 1:300061 <-> ENABLED <-> SERVER-OTHER Apache Log4j logging remote code execution attempt (snort3-native.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (snort3-file-pdf.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (snort3-malware-cnc.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (snort3-server-webapp.rules)
* 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-server-webapp.rules) * 1:300053 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (snort3-native.rules) * 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59104 <-> DISABLED <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt (protocol-dns.rules) * 1:59105 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59117 <-> ENABLED <-> PROTOCOL-OTHER Git LFS object request detected (protocol-other.rules) * 1:59106 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt (file-pdf.rules) * 1:59116 <-> DISABLED <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt (protocol-other.rules) * 1:59103 <-> ENABLED <-> SERVER-WEBAPP October CMS authentication bypass attempt (server-webapp.rules) * 1:59101 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59109 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt (server-webapp.rules) * 1:59102 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt (file-pdf.rules) * 1:59110 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59111 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection (malware-cnc.rules) * 1:59115 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules) * 1:59114 <-> DISABLED <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt (server-apache.rules)
* 1:58276 <-> ENABLED <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt (server-webapp.rules) * 1:59089 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.
The format of the file is:
gid:sid <-> Message
* 1:300060 <-> SERVER-APACHE Apache Shiro HTTP Cookie insecure deserialization attempt * 1:300061 <-> SERVER-OTHER Apache Log4j logging remote code execution attempt * 1:59101 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59102 <-> FILE-PDF Adobe Acrobat PDF AcroForm addField use-after-free attempt * 1:59103 <-> SERVER-WEBAPP October CMS authentication bypass attempt * 1:59104 <-> PROTOCOL-DNS Dnsmasq PX extract_name buffer overflow attempt * 1:59105 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59106 <-> FILE-PDF Adobe Acrobat PDF thermometer use-after-free attempt * 1:59109 <-> SERVER-WEBAPP Oracle WebLogic core server remote code execution attempt * 1:59110 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59111 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59112 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59113 <-> MALWARE-CNC Win.Trojan.Patchwork RAT variant outbound connection * 1:59114 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59115 <-> SERVER-APACHE Apache Druid JDBC connection remote code execution attempt * 1:59116 <-> PROTOCOL-OTHER Git LFS clone arbitrary code execution attempt * 1:59117 <-> PROTOCOL-OTHER Git LFS object request detected
* 1:300053 <-> SERVER-WEBAPP Apache HTTP Server httpd directory traversal attempt * 1:59089 <-> SERVER-WEBAPP Trend Micro SafeSync for Enterprise storage API command injection attempt
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
