Microsoft Vulnerability CVE-2024-30080: A coding deficiency exists in Microsoft Message Queuing (MSMQ) that may lead to remote code execution.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SID 63587, Snort 3: GID 1, SID 63587.
Microsoft Vulnerability CVE-2024-30084: A coding deficiency exists in Microsoft Windows Kernel-Mode Driver that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63590 through 63591, Snort 3: GID 1, SID 300941.
Microsoft Vulnerability CVE-2024-30087: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63596 through 63597, Snort 3: GID 1, SID 300942.
Microsoft Vulnerability CVE-2024-30088: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63583 through 63584, Snort 3: GID 1, SID 300938.
Microsoft Vulnerability CVE-2024-30089: A coding deficiency exists in Microsoft Streaming Service that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63585 through 63586, Snort 3: GID 1, SID 300939.
Microsoft Vulnerability CVE-2024-30091: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63581 through 63582, Snort 3: GID 1, SID 300937.
Microsoft Vulnerability CVE-2024-35250: A coding deficiency exists in Microsoft Windows Kernel-Mode Driver that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 63588 through 63589, Snort 3: GID 1, SID 300940.
Talos also has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, malware-other, os-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2092000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091900.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091801.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:63574 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63576 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63573 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt (browser-ie.rules) * 1:63572 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63586 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63585 <-> DISABLED <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt (os-windows.rules) * 1:63591 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63597 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63588 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63578 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63584 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63581 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63590 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt (os-windows.rules) * 1:63580 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63579 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63577 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt (malware-other.rules) * 1:63575 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:63596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63570 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 1:63587 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt (os-windows.rules) * 1:63589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt (os-windows.rules) * 1:63582 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules) * 1:63583 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt (os-windows.rules) * 1:63571 <-> DISABLED <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt (server-webapp.rules) * 3:63595 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63594 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63592 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules) * 3:63593 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt (os-other.rules)
* 1:27997 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net (app-detect.rules) * 1:41956 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27991 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules) * 1:27988 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com (app-detect.rules) * 1:27987 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com (app-detect.rules) * 1:27998 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org (app-detect.rules) * 1:32848 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za (app-detect.rules) * 1:26287 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com (app-detect.rules) * 1:26286 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org (app-detect.rules) * 1:26182 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt (browser-plugins.rules) * 1:26181 <-> DISABLED <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt (browser-plugins.rules) * 1:32849 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com (app-detect.rules) * 1:27984 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com (app-detect.rules) * 1:32851 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com (app-detect.rules) * 1:28000 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27996 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com (app-detect.rules) * 1:24397 <-> DISABLED <-> APP-DETECT Steam game URI handler (app-detect.rules) * 1:32847 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com (app-detect.rules) * 1:27993 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com (app-detect.rules) * 1:27982 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt (app-detect.rules) * 1:27989 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com (app-detect.rules) * 1:32845 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 (app-detect.rules) * 1:13359 <-> DISABLED <-> APP-DETECT failed IMAP login attempt - invalid username/password (app-detect.rules) * 1:27983 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:25981 <-> DISABLED <-> APP-DETECT Chocoplayer successful installation (app-detect.rules) * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules) * 1:28001 <-> DISABLED <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt (app-detect.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:21488 <-> DISABLED <-> APP-DETECT User-Agent known user agent - GetRight (app-detect.rules) * 1:27995 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com (app-detect.rules) * 1:27986 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com (app-detect.rules) * 1:32846 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com (app-detect.rules) * 1:27999 <-> DISABLED <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING (app-detect.rules) * 1:32850 <-> DISABLED <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com (app-detect.rules) * 1:27990 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com (app-detect.rules) * 1:27985 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com (app-detect.rules) * 1:27992 <-> DISABLED <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com (app-detect.rules) * 1:41957 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules) * 1:27994 <-> DISABLED <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us (app-detect.rules)
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.0.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.1.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.0.3.4.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.0.1.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.1.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.3.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.4.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.5.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.7.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.9.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.2.0.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.11.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.15.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.18.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.20.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.21.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.35.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.44.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt
This is the complete list of rules modified and added in the Cisco Talos Certified rule pack for Snort version 3.1.47.0.
The format of the file is:
gid:sid <-> Message
* 1:300934 <-> BROWSER-IE Microsoft Edge Chakra PreVisitCatch memory corruption attempt * 1:300935 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300936 <-> MALWARE-OTHER Win.Malware.Latrodectus payload download attempt * 1:300937 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:300938 <-> OS-WINDOWS Microsoft Windows Kernel elevation of privilege attempt * 1:300939 <-> OS-WINDOWS Microsoft Win32k escalation of privilege attempt * 1:300940 <-> OS-WINDOWS Microsoft Windows Kernel Streaming Driver elevation of privilege attempt * 1:300941 <-> OS-WINDOWS Microsoft Windows kernel streaming driver elevation of privilege attempt * 1:300942 <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt * 1:63570 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63571 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63572 <-> SERVER-WEBAPP SpaceLogic C-Bus Home Controller command injection attempt * 1:63575 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63576 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:63587 <-> OS-WINDOWS Microsoft Windows Server MSMQ remote code execution attempt * 3:63592 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63593 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63594 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt * 3:63595 <-> OS-OTHER TRUFFLEHUNTER TALOS-2024-2006 attack attempt
* 1:13359 <-> APP-DETECT failed IMAP login attempt - invalid username/password * 1:21488 <-> APP-DETECT User-Agent known user agent - GetRight * 1:24397 <-> APP-DETECT Steam game URI handler * 1:25981 <-> APP-DETECT Chocoplayer successful installation * 1:26181 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX clsid access attempt * 1:26182 <-> BROWSER-PLUGINS Samsung NET-i viewer BackupToAvi ActiveX function call access attempt * 1:26286 <-> APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org * 1:26287 <-> APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com * 1:27540 <-> APP-DETECT OzymanDNS dns tunneling up attempt * 1:27541 <-> APP-DETECT OzymanDNS dns tunneling down attempt * 1:27982 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:27983 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:27984 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com * 1:27985 <-> APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com * 1:27986 <-> APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com * 1:27987 <-> APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com * 1:27988 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com * 1:27989 <-> APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com * 1:27990 <-> APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com * 1:27991 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com * 1:27992 <-> APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com * 1:27993 <-> APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com * 1:27994 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us * 1:27995 <-> APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com * 1:27996 <-> APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com * 1:27997 <-> APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net * 1:27998 <-> APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org * 1:27999 <-> APP-DETECT Possible Dynamic Internet Technology Frontgate application PING * 1:28000 <-> APP-DETECT Dynamic Internet Technology Freegate application executable download attempt * 1:28001 <-> APP-DETECT Dynamic Internet Technology Freegate application zip download attempt * 1:31302 <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt * 1:32845 <-> APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223 * 1:32846 <-> APP-DETECT Absolute Software Computrace outbound connection - absolute.com * 1:32847 <-> APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com * 1:32848 <-> APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za * 1:32849 <-> APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com * 1:32850 <-> APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com * 1:32851 <-> APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com * 1:41956 <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt