Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-executable, file-identify, file-other, indicator-compromise, malware-backdoor, malware-cnc, protocol-other, pua-adware, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules) * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules) * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules) * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules) * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules) * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules) * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules) * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules) * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules) * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules) * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules) * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules) * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules) * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules) * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules)
* 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules) * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules) * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules) * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules) * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules) * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules) * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules) * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules) * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules) * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules) * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules) * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules) * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules) * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules) * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules) * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules) * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
* 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (snort3-server-webapp.rules) * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (snort3-file-identify.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (snort3-malware-backdoor.rules) * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (snort3-server-webapp.rules) * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (snort3-file-identify.rules) * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (snort3-server-other.rules) * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (snort3-malware-backdoor.rules) * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (snort3-server-webapp.rules) * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (snort3-browser-other.rules) * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (snort3-browser-other.rules) * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (snort3-file-executable.rules) * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (snort3-file-executable.rules) * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (snort3-server-webapp.rules) * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (snort3-file-identify.rules) * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (snort3-server-webapp.rules) * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (snort3-server-other.rules) * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (snort3-server-webapp.rules) * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (snort3-pua-other.rules) * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (snort3-protocol-other.rules) * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (snort3-malware-cnc.rules) * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (snort3-pua-other.rules) * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (snort3-pua-other.rules) * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (snort3-protocol-other.rules) * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (snort3-server-other.rules) * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (snort3-server-webapp.rules) * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (snort3-pua-other.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (snort3-indicator-compromise.rules) * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (snort3-server-other.rules) * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (snort3-server-other.rules) * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (snort3-browser-ie.rules) * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (snort3-server-other.rules) * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (snort3-pua-other.rules) * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (snort3-server-webapp.rules) * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (snort3-browser-ie.rules) * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (snort3-malware-cnc.rules) * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (snort3-server-webapp.rules)
* 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (snort3-pua-adware.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (snort3-malware-cnc.rules) * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules) * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (snort3-malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules) * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules) * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules) * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules) * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules) * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules) * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules) * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules) * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules) * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules) * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules) * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules) * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules) * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules) * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules) * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules)
* 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46355 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46354 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46353 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk download-file directory traversal attempt (server-webapp.rules) * 1:46352 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46351 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi EZPcAut220 ActiveX clsid access attempt (browser-plugins.rules) * 1:46350 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46349 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46348 <-> ENABLED <-> SERVER-WEBAPP NetIQ Access Manager Identity Server directory traversal attempt (server-webapp.rules) * 1:46347 <-> DISABLED <-> SERVER-WEBAPP MediaWiki index.php rs cross site scripting attempt (server-webapp.rules) * 1:46372 <-> ENABLED <-> PUA-OTHER Moonify TLS client hello attempt (pua-other.rules) * 1:46371 <-> ENABLED <-> PUA-OTHER Moonify TLS server hello attempt (pua-other.rules) * 1:46370 <-> ENABLED <-> PUA-OTHER Moonify Miner client detected (pua-other.rules) * 1:46369 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell access attempt (malware-backdoor.rules) * 1:46368 <-> DISABLED <-> MALWARE-BACKDOOR JSP Web shell upload attempt (malware-backdoor.rules) * 1:46367 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file download detected (file-identify.rules) * 1:46366 <-> ENABLED <-> PUA-OTHER CryptoNight webassembly download attempt (pua-other.rules) * 1:46365 <-> ENABLED <-> PUA-OTHER CoinHive Miner client detected (pua-other.rules) * 1:46364 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46363 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46362 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46361 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46360 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46359 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46358 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46357 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46356 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Wroba outbound connection (malware-cnc.rules) * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules) * 1:46374 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46373 <-> DISABLED <-> PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt (protocol-other.rules) * 1:46378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper variant outbound connection (malware-cnc.rules) * 1:46377 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46376 <-> DISABLED <-> SERVER-OTHER libgd heap-overflow attempt (server-other.rules) * 1:46385 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46379 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46382 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration denial of service attempt (server-other.rules) * 1:46381 <-> DISABLED <-> INDICATOR-COMPROMISE Potential data exfiltration through Google form submission (indicator-compromise.rules) * 1:46380 <-> DISABLED <-> SERVER-WEBAPP Afian FileRun SQL injection attempt (server-webapp.rules) * 1:46384 <-> ENABLED <-> BROWSER-IE Internet Explorer URL file remote code execution attempt detected (browser-ie.rules) * 1:46383 <-> DISABLED <-> SERVER-OTHER Micro Focus Operations Orchestration information disclosure attempt (server-other.rules) * 1:46399 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46398 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox table object integer underflow (browser-other.rules) * 1:46397 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 1:46396 <-> ENABLED <-> FILE-EXECUTABLE Win.Ransomware.Rapid download attempt (file-executable.rules) * 1:46394 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file attachment detected (file-identify.rules) * 1:46393 <-> ENABLED <-> FILE-IDENTIFY WebAssembly file detected (file-identify.rules) * 1:46387 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt (server-other.rules) * 3:46386 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI arbitrary file write attempt (server-webapp.rules) * 3:46388 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules) * 3:46389 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0579 attack attempt (file-other.rules) * 3:46390 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46391 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46392 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0577 attack attempt (server-webapp.rules) * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
* 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:29991 <-> DISABLED <-> PUA-ADWARE The Best All Codecs App runtime detection (pua-adware.rules) * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules) * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules) * 3:46142 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0551 attack attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
