Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-shellcode, netbios, os-linux, os-windows, policy-other, policy-social, protocol-dns, protocol-snmp, server-apache, server-iis, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36879 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF buffer overflow attempt (file-flash.rules) * 1:36868 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36869 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt (browser-plugins.rules) * 1:36872 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt (browser-plugins.rules) * 1:36870 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt (browser-plugins.rules) * 1:36871 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt (browser-plugins.rules) * 1:36873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules) * 1:36874 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules) * 1:36875 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:36858 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36859 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36860 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36861 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:36862 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36863 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36864 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36865 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36866 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt (browser-plugins.rules) * 1:36881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36884 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36886 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:36885 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:36867 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt (browser-plugins.rules) * 1:36880 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36876 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:36882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36887 <-> DISABLED <-> POLICY-OTHER self-signed SSL certificate eDellRoot use attempt (policy-other.rules) * 1:36854 <-> DISABLED <-> FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt (file-other.rules) * 1:36857 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules) * 1:36878 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF buffer overflow attempt (file-flash.rules) * 1:36856 <-> DISABLED <-> FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt (file-image.rules) * 1:36855 <-> ENABLED <-> FILE-OTHER Wireshark DECT packet dissector overflow attempt (file-other.rules)
* 1:10018 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt (netbios.rules) * 1:20431 <-> ENABLED <-> FILE-OTHER Wireshark DECT packet dissector overflow attempt (file-other.rules) * 1:10486 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc corrupt user-supplied memory address attempt (netbios.rules) * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules) * 1:31106 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:28623 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36798 <-> DISABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page detected (exploit-kit.rules) * 1:28624 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:1394 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ecx NOOP (indicator-shellcode.rules) * 1:16147 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS malformed URL .dll denial of service attempt (server-iis.rules) * 1:16153 <-> DISABLED <-> FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt (file-image.rules) * 1:16727 <-> DISABLED <-> FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt (file-other.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt (file-multimedia.rules) * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules) * 1:23283 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:17635 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian overflow attempt (netbios.rules) * 1:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules) * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:31105 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules) * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules) * 1:23284 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:36125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:20237 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt (file-multimedia.rules) * 1:18802 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager formExportDataLogs directory traversal attempt (server-webapp.rules) * 1:19259 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules) * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:33987 <-> DISABLED <-> SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt (server-other.rules) * 1:34864 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules) * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules) * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules) * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules) * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules) * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules) * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules) * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules) * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules) * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules) * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules) * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules) * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules) * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules) * 3:10161 <-> ENABLED <-> NETBIOS SMB write_andx overflow attempt (netbios.rules) * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules) * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules) * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules) * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules) * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules) * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules) * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules) * 3:16532 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules) * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules) * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules) * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules) * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules) * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules) * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules) * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules) * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules) * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules) * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules) * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules) * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules) * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules) * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules) * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules) * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules) * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules) * 3:16728 <-> ENABLED <-> NETBIOS Samba SMB1 chain_reply function memory corruption attempt (netbios.rules) * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules) * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules) * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules) * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules) * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules) * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules) * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules) * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules) * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules) * 3:35894 <-> ENABLED <-> SERVER-OTHER HP OpenView Data Protector Omnilnet command injection attempt (server-other.rules) * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules) * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules) * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules) * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules) * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules) * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules) * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules) * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules) * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36859 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36860 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36862 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36861 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36864 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36863 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36865 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36866 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt (browser-plugins.rules) * 1:36887 <-> DISABLED <-> POLICY-OTHER self-signed SSL certificate eDellRoot use attempt (policy-other.rules) * 1:36867 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt (browser-plugins.rules) * 1:36868 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36869 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt (browser-plugins.rules) * 1:36870 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt (browser-plugins.rules) * 1:36871 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt (browser-plugins.rules) * 1:36872 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt (browser-plugins.rules) * 1:36873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules) * 1:36874 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules) * 1:36875 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:36876 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:36878 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF buffer overflow attempt (file-flash.rules) * 1:36879 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF buffer overflow attempt (file-flash.rules) * 1:36880 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36884 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36885 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:36886 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:36858 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36856 <-> DISABLED <-> FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt (file-image.rules) * 1:36855 <-> ENABLED <-> FILE-OTHER Wireshark DECT packet dissector overflow attempt (file-other.rules) * 1:36854 <-> DISABLED <-> FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt (file-other.rules) * 1:36857 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules)
* 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules) * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:23283 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules) * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules) * 1:31106 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:31105 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:28624 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:28623 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:36798 <-> DISABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page detected (exploit-kit.rules) * 1:23284 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:20431 <-> ENABLED <-> FILE-OTHER Wireshark DECT packet dissector overflow attempt (file-other.rules) * 1:10018 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt (netbios.rules) * 1:10486 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc corrupt user-supplied memory address attempt (netbios.rules) * 1:1394 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ecx NOOP (indicator-shellcode.rules) * 1:16147 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS malformed URL .dll denial of service attempt (server-iis.rules) * 1:16153 <-> DISABLED <-> FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt (file-image.rules) * 1:16727 <-> DISABLED <-> FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt (file-other.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt (file-multimedia.rules) * 1:20237 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt (file-multimedia.rules) * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules) * 1:17635 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian overflow attempt (netbios.rules) * 1:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules) * 1:19259 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules) * 1:18802 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager formExportDataLogs directory traversal attempt (server-webapp.rules) * 1:34864 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:33987 <-> DISABLED <-> SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt (server-other.rules) * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:36125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules) * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules) * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules) * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules) * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules) * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules) * 3:35894 <-> ENABLED <-> SERVER-OTHER HP OpenView Data Protector Omnilnet command injection attempt (server-other.rules) * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules) * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules) * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules) * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules) * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules) * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules) * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules) * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules) * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules) * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules) * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules) * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules) * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules) * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules) * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules) * 3:10161 <-> ENABLED <-> NETBIOS SMB write_andx overflow attempt (netbios.rules) * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules) * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules) * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules) * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules) * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules) * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules) * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules) * 3:16728 <-> ENABLED <-> NETBIOS Samba SMB1 chain_reply function memory corruption attempt (netbios.rules) * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules) * 3:16532 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules) * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules) * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules) * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules) * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules) * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules) * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules) * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules) * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules) * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules) * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules) * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules) * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules) * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules) * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules) * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules) * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules) * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules) * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules) * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules) * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules) * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules) * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules) * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules) * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules) * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules) * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules) * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36887 <-> DISABLED <-> POLICY-OTHER self-signed SSL certificate eDellRoot use attempt (policy-other.rules) * 1:36886 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:36885 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:36884 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Paint jpeg with malformed SOFx field integer overflow attempt (file-image.rules) * 1:36883 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36882 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36881 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36880 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array uncompress information disclosure attempt (file-flash.rules) * 1:36879 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF buffer overflow attempt (file-flash.rules) * 1:36878 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SWF buffer overflow attempt (file-flash.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:36876 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:36875 <-> ENABLED <-> FILE-FLASH Adobe Flash Player atomicCompareAndSwapLength integer overflow attempt (file-flash.rules) * 1:36874 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules) * 1:36873 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 ActionCallMethod use-after-free attempt (file-flash.rules) * 1:36872 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt (browser-plugins.rules) * 1:36871 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attempt (browser-plugins.rules) * 1:36870 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt (browser-plugins.rules) * 1:36869 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attempt (browser-plugins.rules) * 1:36868 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36867 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt (browser-plugins.rules) * 1:36866 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attempt (browser-plugins.rules) * 1:36865 <-> DISABLED <-> BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attempt (browser-plugins.rules) * 1:36864 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36863 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36862 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36861 <-> ENABLED <-> FILE-FLASH Adobe Flash Player attachsound use-after-free attempt (file-flash.rules) * 1:36860 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36859 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36858 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36857 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules) * 1:36856 <-> DISABLED <-> FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt (file-image.rules) * 1:36855 <-> ENABLED <-> FILE-OTHER Wireshark DECT packet dissector overflow attempt (file-other.rules) * 1:36854 <-> DISABLED <-> FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt (file-other.rules)
* 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules) * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules) * 1:31105 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31106 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:28623 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:28624 <-> DISABLED <-> FILE-PDF Adobe Acrobat font parsing integer overflow attempt (file-pdf.rules) * 1:23284 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:20431 <-> ENABLED <-> FILE-OTHER Wireshark DECT packet dissector overflow attempt (file-other.rules) * 1:23283 <-> DISABLED <-> BROWSER-PLUGINS Oracle WebCenter Forms Recognition ActiveX clsid access attempt (browser-plugins.rules) * 1:20237 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt (file-multimedia.rules) * 1:17696 <-> ENABLED <-> PROTOCOL-DNS Microsoft Windows DNS Server ANY query cache weakness (protocol-dns.rules) * 1:19259 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel WOpt record memory corruption attempt (file-office.rules) * 1:18802 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager formExportDataLogs directory traversal attempt (server-webapp.rules) * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules) * 1:17635 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian overflow attempt (netbios.rules) * 1:16727 <-> DISABLED <-> FILE-OTHER IDEAL Administration IPJ file handling stack overflow attempt (file-other.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Jukebox playlist file handling heap overflow attempt (file-multimedia.rules) * 1:16147 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS malformed URL .dll denial of service attempt (server-iis.rules) * 1:16153 <-> DISABLED <-> FILE-IMAGE Microsoft Windows malformed WMF meta escape record memory corruption attempt (file-image.rules) * 1:10486 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc corrupt user-supplied memory address attempt (netbios.rules) * 1:1394 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ecx NOOP (indicator-shellcode.rules) * 1:10018 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt (netbios.rules) * 1:36798 <-> DISABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page detected (exploit-kit.rules) * 1:36612 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules) * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules) * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules) * 1:36125 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS3 opaqueBackground use-after-free attempt (file-flash.rules) * 1:34864 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:33987 <-> DISABLED <-> SERVER-OTHER Symantec System Center Alert Management System untrusted command execution attempt (server-other.rules) * 1:32565 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32564 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32473 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32472 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32471 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 1:32470 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules) * 3:7196 <-> ENABLED <-> OS-WINDOWS Microsoft DHCP option overflow attempt (os-windows.rules) * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules) * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:35894 <-> ENABLED <-> SERVER-OTHER HP OpenView Data Protector Omnilnet command injection attempt (server-other.rules) * 3:28487 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:28488 <-> ENABLED <-> OS-WINDOWS Microsoft GDI library TIFF handling memory corruption attempt (os-windows.rules) * 3:26972 <-> ENABLED <-> SERVER-OTHER CUPS IPP multi-valued attribute memory corruption attempt (server-other.rules) * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules) * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules) * 3:15009 <-> ENABLED <-> OS-WINDOWS possible SMB replay attempt - overlapping encryption keys detected (os-windows.rules) * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules) * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules) * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules) * 3:21352 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:19187 <-> ENABLED <-> PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt (protocol-dns.rules) * 3:20825 <-> ENABLED <-> SERVER-WEBAPP generic web server hashing collision attack (server-webapp.rules) * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules) * 3:18673 <-> ENABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 3:18101 <-> ENABLED <-> SERVER-OTHER Sun Directory Server LDAP denial of service attempt (server-other.rules) * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules) * 3:17775 <-> ENABLED <-> INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected (indicator-shellcode.rules) * 3:17765 <-> ENABLED <-> OS-WINDOWS OpenType Font file parsing buffer overflow attempt (os-windows.rules) * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules) * 3:17741 <-> ENABLED <-> SERVER-OTHER MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt (server-other.rules) * 3:17699 <-> ENABLED <-> PROTOCOL-SNMP Multiple vendor SNMPv3 HMAC handling authentication bypass attempt (protocol-snmp.rules) * 3:17697 <-> ENABLED <-> POLICY-SOCIAL GnuPG Message Packet Length overflow attempt (policy-social.rules) * 3:17693 <-> ENABLED <-> SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt (server-mail.rules) * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules) * 3:17663 <-> ENABLED <-> SERVER-OTHER Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt (server-other.rules) * 3:17632 <-> ENABLED <-> PROTOCOL-SNMP Castle Rock Computing SNMPc Network Manager community string attempted stack overflow (protocol-snmp.rules) * 3:16728 <-> ENABLED <-> NETBIOS Samba SMB1 chain_reply function memory corruption attempt (netbios.rules) * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules) * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules) * 3:16532 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules) * 3:16531 <-> ENABLED <-> NETBIOS SMB client TRANS response ring0 remote code execution attempt (netbios.rules) * 3:16415 <-> ENABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules) * 3:16370 <-> ENABLED <-> FILE-PDF Adobe Reader JP2C Region Atom CompNum memory corruption attempt (file-pdf.rules) * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules) * 3:14263 <-> ENABLED <-> POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt (policy-social.rules) * 3:14260 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt (os-windows.rules) * 3:16232 <-> ENABLED <-> OS-WINDOWS Windows TrueType font file parsing integer overflow attempt (os-windows.rules) * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules) * 3:13308 <-> ENABLED <-> SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability (server-apache.rules) * 3:15124 <-> ENABLED <-> OS-WINDOWS Web-based NTLM replay attack attempt (os-windows.rules) * 3:15149 <-> ENABLED <-> SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt (server-oracle.rules) * 3:13417 <-> ENABLED <-> SERVER-OTHER Citrix MetaFrame IMA authentication processing buffer overflow attempt (server-other.rules) * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules) * 3:15301 <-> ENABLED <-> SERVER-MAIL Exchange compressed RTF remote code execution attempt (server-mail.rules) * 3:15327 <-> ENABLED <-> PROTOCOL-DNS libspf2 DNS TXT record parsing buffer overflow attempt (protocol-dns.rules) * 3:15453 <-> ENABLED <-> OS-WINDOWS SMB replay attempt via NTLMSSP - overlapping encryption keys detected (os-windows.rules) * 3:13418 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt (server-other.rules) * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules) * 3:12028 <-> ENABLED <-> SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt (server-mail.rules) * 3:10161 <-> ENABLED <-> NETBIOS SMB write_andx overflow attempt (netbios.rules) * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules) * 3:11619 <-> ENABLED <-> SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt (server-mysql.rules) * 3:13425 <-> ENABLED <-> SERVER-OTHER openldap server bind request denial of service attempt (server-other.rules) * 3:15973 <-> ENABLED <-> SERVER-OTHER Novell eDirectory LDAP null search parameter buffer overflow attempt (server-other.rules) * 3:15474 <-> ENABLED <-> SERVER-OTHER Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt (server-other.rules) * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules) * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules) * 3:13510 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest heap overflow attempt (server-other.rules) * 3:15734 <-> ENABLED <-> PROTOCOL-DNS BIND named 9 dynamic update message remote dos attempt (protocol-dns.rules) * 3:13511 <-> ENABLED <-> SERVER-OTHER Novell eDirectory EventsRequest invalid event count exploit attempt (server-other.rules) * 3:15847 <-> ENABLED <-> OS-WINDOWS Telnet-based NTLM replay attack attempt (os-windows.rules) * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules) * 3:15968 <-> ENABLED <-> SERVER-OTHER LANDesk Management Suite QIP service heal packet buffer overflow attempt (server-other.rules) * 3:13773 <-> ENABLED <-> OS-LINUX linux kernel snmp nat netfilter memory corruption attempt (os-linux.rules) * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 3:13825 <-> ENABLED <-> OS-WINDOWS Microsoft PGM fragment denial of service attempt (os-windows.rules) * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules) * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules) * 3:13879 <-> ENABLED <-> OS-WINDOWS Windows BMP image conversion arbitrary code execution attempt (os-windows.rules) * 3:15959 <-> ENABLED <-> SERVER-IIS Microsoft ASP.NET viewstate DoS attempt (server-iis.rules) * 3:13921 <-> ENABLED <-> SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt (server-mail.rules) * 3:14251 <-> ENABLED <-> OS-WINDOWS Microsoft GDI malformed metarecord buffer overflow attempt (os-windows.rules) * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
