Talos has added and modified multiple rules in the app-detect, blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-scan, malware-cnc, netbios, policy-other, protocol-dns, protocol-rpc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37338 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37340 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37336 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37335 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37331 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37332 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37330 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37328 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37326 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37307 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain hola.org (blacklist.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound communication attempt (malware-cnc.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:37294 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:37315 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules) * 1:37295 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leotindall.com - Win.Trojan.Sesramot (blacklist.rules) * 1:37296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules) * 1:37309 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdna-cdn.com (blacklist.rules) * 1:37311 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules) * 1:37316 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules) * 1:37360 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot outbound IRC channel join attempt (malware-cnc.rules) * 1:37348 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules) * 1:37310 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules) * 1:37293 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:37344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37322 <-> ENABLED <-> BLACKLIST DNS request for known malware domain coding-revolution.to - Win.Trojan.Direvex (blacklist.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sakurel variant outbound connection (malware-cnc.rules) * 1:37323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Direvex variant outbound connection attempt (malware-cnc.rules) * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules) * 1:37325 <-> DISABLED <-> BROWSER-CHROME Google Chrome same origin policy bypass attempt (browser-chrome.rules) * 1:37327 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules) * 1:37329 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37333 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37334 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37337 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37339 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37342 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37321 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs_new.php SQL injection attempt (server-webapp.rules) * 1:37343 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-326 check_login command injection attempt (server-webapp.rules) * 1:37345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37350 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules) * 1:37359 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot inbound command attempt (malware-cnc.rules) * 1:37341 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37349 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules) * 1:37353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules) * 1:37352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules) * 1:37308 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdns-ssl.com (blacklist.rules) * 1:37314 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:37351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 3:37358 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine default password authentication attempt (server-webapp.rules)
* 1:37213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt (malware-cnc.rules) * 1:36915 <-> DISABLED <-> POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt (policy-other.rules) * 1:6407 <-> DISABLED <-> APP-DETECT Gizmo register VOIP state (app-detect.rules) * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules) * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules) * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules) * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules) * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules) * 1:25607 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules) * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules) * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules) * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules) * 1:25606 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules) * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules) * 1:25605 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules) * 1:23280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules) * 1:25604 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file download request (file-identify.rules) * 1:14019 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules) * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules) * 1:14020 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules) * 1:12357 <-> DISABLED <-> SERVER-OTHER Apple mDNSresponder excessive HTTP headers (server-other.rules) * 1:11968 <-> DISABLED <-> PROTOCOL-VOIP inbound INVITE message (protocol-voip.rules) * 1:12100 <-> DISABLED <-> NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37294 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:37350 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules) * 1:37345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37340 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37335 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37325 <-> DISABLED <-> BROWSER-CHROME Google Chrome same origin policy bypass attempt (browser-chrome.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37307 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain hola.org (blacklist.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37295 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leotindall.com - Win.Trojan.Sesramot (blacklist.rules) * 1:37296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules) * 1:37293 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:37310 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules) * 1:37311 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37315 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules) * 1:37316 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound communication attempt (malware-cnc.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sakurel variant outbound connection (malware-cnc.rules) * 1:37321 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs_new.php SQL injection attempt (server-webapp.rules) * 1:37322 <-> ENABLED <-> BLACKLIST DNS request for known malware domain coding-revolution.to - Win.Trojan.Direvex (blacklist.rules) * 1:37323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Direvex variant outbound connection attempt (malware-cnc.rules) * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules) * 1:37326 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules) * 1:37327 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules) * 1:37328 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37329 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37330 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37331 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37332 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37333 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37334 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37336 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37337 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37338 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37339 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37341 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37342 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37343 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-326 check_login command injection attempt (server-webapp.rules) * 1:37344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37348 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules) * 1:37349 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules) * 1:37351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules) * 1:37360 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot outbound IRC channel join attempt (malware-cnc.rules) * 1:37359 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot inbound command attempt (malware-cnc.rules) * 1:37314 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:37308 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdns-ssl.com (blacklist.rules) * 1:37353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules) * 1:37352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules) * 1:37309 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdna-cdn.com (blacklist.rules) * 3:37358 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine default password authentication attempt (server-webapp.rules)
* 1:36915 <-> DISABLED <-> POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt (policy-other.rules) * 1:6407 <-> DISABLED <-> APP-DETECT Gizmo register VOIP state (app-detect.rules) * 1:37213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt (malware-cnc.rules) * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules) * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules) * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules) * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules) * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules) * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules) * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules) * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules) * 1:25607 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules) * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules) * 1:25605 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules) * 1:25606 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules) * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules) * 1:25604 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file download request (file-identify.rules) * 1:23280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:14019 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules) * 1:14020 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules) * 1:12357 <-> DISABLED <-> SERVER-OTHER Apple mDNSresponder excessive HTTP headers (server-other.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules) * 1:12100 <-> DISABLED <-> NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt (netbios.rules) * 1:11968 <-> DISABLED <-> PROTOCOL-VOIP inbound INVITE message (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:37360 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot outbound IRC channel join attempt (malware-cnc.rules) * 1:37359 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.Pbot inbound command attempt (malware-cnc.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules) * 1:37354 <-> DISABLED <-> APP-DETECT Jenkins Groovy script access through script console attempt (app-detect.rules) * 1:37353 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules) * 1:37352 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SimpleButton constructor type confusion attempt (file-flash.rules) * 1:37351 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules) * 1:37350 <-> ENABLED <-> FILE-FLASH Adobe Flash Player invalid parent pointer use after free attempt (file-flash.rules) * 1:37349 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules) * 1:37348 <-> DISABLED <-> SERVER-WEBAPP Limesurvey unauthenticated file download attempt (server-webapp.rules) * 1:37347 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37346 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37345 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37344 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules) * 1:37343 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-326 check_login command injection attempt (server-webapp.rules) * 1:37342 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37341 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37340 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37339 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37338 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37337 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37336 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37335 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37334 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37333 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37332 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37331 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37330 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37329 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37328 <-> DISABLED <-> FILE-IMAGE Adobe Camera Raw Plug-in TIFF image processing buffer underflow attempt (file-image.rules) * 1:37327 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules) * 1:37326 <-> DISABLED <-> BROWSER-CHROME Google Chrome PDF Viewer information disclosure attempt (browser-chrome.rules) * 1:37325 <-> DISABLED <-> BROWSER-CHROME Google Chrome same origin policy bypass attempt (browser-chrome.rules) * 1:37324 <-> DISABLED <-> SERVER-WEBAPP AVM FritzBox dsl_control stack buffer overflow attempt (server-webapp.rules) * 1:37323 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Direvex variant outbound connection attempt (malware-cnc.rules) * 1:37322 <-> ENABLED <-> BLACKLIST DNS request for known malware domain coding-revolution.to - Win.Trojan.Direvex (blacklist.rules) * 1:37321 <-> DISABLED <-> SERVER-WEBAPP Cacti graphs_new.php SQL injection attempt (server-webapp.rules) * 1:37320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sakurel variant outbound connection (malware-cnc.rules) * 1:37319 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37318 <-> DISABLED <-> FILE-OFFICE Microsoft Word rpawinet.dll dll-load exploit attempt (file-office.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound communication attempt (malware-cnc.rules) * 1:37316 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules) * 1:37315 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules) * 1:37314 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules) * 1:37313 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader external entity data exfiltration attempt (file-pdf.rules) * 1:37311 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules) * 1:37310 <-> DISABLED <-> BROWSER-CHROME Google Chrome MOTW pageSerializer HTML injection attempt (browser-chrome.rules) * 1:37309 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdna-cdn.com (blacklist.rules) * 1:37308 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain holanetworksltd.netdns-ssl.com (blacklist.rules) * 1:37307 <-> DISABLED <-> BLACKLIST DNS request for Hola VPN domain hola.org (blacklist.rules) * 1:37306 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37305 <-> DISABLED <-> APP-DETECT Hola VPN tunnel keep alive (app-detect.rules) * 1:37304 <-> DISABLED <-> APP-DETECT Hola VPN non-http port ping (app-detect.rules) * 1:37303 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header attempt (app-detect.rules) * 1:37302 <-> DISABLED <-> APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt (app-detect.rules) * 1:37301 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37300 <-> DISABLED <-> APP-DETECT Hola VPN startup attempt (app-detect.rules) * 1:37299 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37298 <-> DISABLED <-> APP-DETECT Hola VPN installation attempt (app-detect.rules) * 1:37297 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules) * 1:37296 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sesramot variant outbound connection attempt (malware-cnc.rules) * 1:37295 <-> ENABLED <-> BLACKLIST DNS request for known malware domain leotindall.com - Win.Trojan.Sesramot (blacklist.rules) * 1:37294 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:37293 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 3:37358 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine default password authentication attempt (server-webapp.rules)
* 1:37213 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection attempt (malware-cnc.rules) * 1:6407 <-> DISABLED <-> APP-DETECT Gizmo register VOIP state (app-detect.rules) * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules) * 1:36915 <-> DISABLED <-> POLICY-OTHER ManageEngine EventLog Analyzer runQuery.do insecure SQL query attempt (policy-other.rules) * 1:33158 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:33188 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection (indicator-compromise.rules) * 1:32269 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules) * 1:33157 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CClipStack array index exploitation attempt (browser-ie.rules) * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules) * 1:32268 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php install license command injection attempt (server-webapp.rules) * 1:32128 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure confpremenu.php command injection attempt (server-webapp.rules) * 1:32203 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure ldapsyncnow.php command injection attempt (server-webapp.rules) * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules) * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules) * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules) * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules) * 1:25606 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules) * 1:25607 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules) * 1:25604 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file download request (file-identify.rules) * 1:25605 <-> ENABLED <-> FILE-IDENTIFY cSounds.com Csound audio file file attachment detected (file-identify.rules) * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules) * 1:23280 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer corrupted HROW instance write access violation attempt (browser-ie.rules) * 1:16739 <-> DISABLED <-> FILE-MULTIMEDIA Multiple audio players playlist file handling heap overflow attempt (file-multimedia.rules) * 1:17495 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS response spoofing attempt (server-other.rules) * 1:14020 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules) * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt (file-office.rules) * 1:12708 <-> DISABLED <-> PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt (protocol-rpc.rules) * 1:14019 <-> DISABLED <-> FILE-MULTIMEDIA CyberLink PowerDVD playlist file handling stack overflow attempt (file-multimedia.rules) * 1:12100 <-> DISABLED <-> NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt (netbios.rules) * 1:12357 <-> DISABLED <-> SERVER-OTHER Apple mDNSresponder excessive HTTP headers (server-other.rules) * 1:11968 <-> DISABLED <-> PROTOCOL-VOIP inbound INVITE message (protocol-voip.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
