Documents

The following setup guides have been contributed by members of the Snort Community for your use. Comments and questions on these documents should be submitted directly to the author by clicking on their names below.


Latest rule documents - Search
1-38027
This rule will alert when it sees a pdf that is trying to use the a function which initiates network communication and can violate corporate policy and is used in a number of adobe exploits.
1-38022
This rule detects specific binary artifacts of RC4 decryption
1-54675
This rule looks for requests for ASP files coming from an attacked host during a secondary stage of attack.
1-54674
This rule looks for the use of the StartRemoteProjectCopy function of Rockwell FactoryTalk View SE to cause the server to copy a project from an attacker controlled URI locally to the server.
1-54673
This rule looks for the use of the BackupHMI function in an HTTP request coming from a FactoryTalk device. This could be an indication of potential compromise.
1-54672
This rule looks for a large number of page requests to ASP files in a short period of time to the Rockwell FactoryTalk server in an attempt win a race condition to trigger an attackers uploaded ASP file.