Talos has added and modified multiple rules in the file-image, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules) * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules) * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules) * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules) * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules) * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules) * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules)
* 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules) * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules) * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules) * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules) * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules) * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
* 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (snort3-malware-cnc.rules) * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (snort3-server-webapp.rules) * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (snort3-server-webapp.rules) * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (snort3-server-webapp.rules) * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (snort3-server-webapp.rules) * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (snort3-file-pdf.rules) * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules) * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (snort3-file-image.rules) * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (snort3-file-pdf.rules) * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (snort3-server-webapp.rules) * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (snort3-server-webapp.rules) * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (snort3-server-webapp.rules) * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (snort3-file-image.rules) * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (snort3-file-image.rules) * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (snort3-file-image.rules) * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (snort3-indicator-compromise.rules) * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (snort3-file-image.rules) * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules) * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (snort3-indicator-compromise.rules) * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (snort3-indicator-obfuscation.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (snort3-indicator-compromise.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (snort3-file-pdf.rules) * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (snort3-indicator-obfuscation.rules) * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (snort3-server-webapp.rules) * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules) * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (snort3-file-image.rules) * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (snort3-file-pdf.rules) * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (snort3-malware-cnc.rules) * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (snort3-file-other.rules) * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (snort3-file-other.rules)
* 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (snort3-malware-cnc.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (snort3-malware-cnc.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (snort3-malware-cnc.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (snort3-malware-cnc.rules) * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (snort3-file-other.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (snort3-malware-other.rules) * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (snort3-file-other.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (snort3-malware-cnc.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules) * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules) * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules) * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules) * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules) * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules) * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
* 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules) * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47384 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 1:47383 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47382 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro use after free attempt (file-image.rules) * 1:47381 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47380 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent variant download attempt (malware-other.rules) * 1:47379 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47378 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules) * 1:47377 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt (malware-cnc.rules) * 1:47376 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47375 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47374 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47373 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection (malware-cnc.rules) * 1:47372 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47371 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT engine use after free attempt (file-pdf.rules) * 1:47370 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 1:47369 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds memory access attempt (file-other.rules) * 1:47368 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47367 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro PSD malformed image data out-of-bounds write attempt (file-image.rules) * 1:47402 <-> DISABLED <-> INDICATOR-OBFUSCATION FTP file upload over non-standard port attempt (indicator-obfuscation.rules) * 1:47401 <-> DISABLED <-> INDICATOR-OBFUSCATION ICMP HTTP tunneling attempt (indicator-obfuscation.rules) * 1:47400 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft powershell.exe outbound shell attempt (indicator-compromise.rules) * 1:47399 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47398 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft cmd.exe outbound shell attempt (indicator-compromise.rules) * 1:47397 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47396 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader malformed JPEG quantization table out-of-bounds write attempt (file-image.rules) * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47392 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47391 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API set_VM_network command injection attempt (server-webapp.rules) * 1:47390 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47389 <-> ENABLED <-> SERVER-WEBAPP Oracle WebLogic Server arbitrary JSP file upload attempt (server-webapp.rules) * 1:47388 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt (server-webapp.rules) * 1:47387 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt (server-webapp.rules) * 1:47386 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt (server-webapp.rules) * 1:47385 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules) * 3:47412 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47410 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47411 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47408 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47409 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47406 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47407 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47404 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47405 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47395 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules) * 3:47403 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0641 attack attempt (file-office.rules) * 3:47394 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player out of bounds write attempt (file-other.rules)
* 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DanaBot (malware-other.rules) * 1:47139 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:47140 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawBeziers out-of-bounds read attempt (file-other.rules) * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules) * 1:45564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules) * 1:45563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt (malware-cnc.rules) * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules) * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules) * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
