Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-image, file-multimedia, file-other, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38742 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules) * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules) * 1:38732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VBDos Runtime Detection (malware-cnc.rules) * 1:38731 <-> ENABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules) * 1:38730 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules) * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules) * 1:38728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules) * 1:38723 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38722 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38721 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38720 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38719 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38718 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38717 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38716 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38715 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38714 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38713 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38712 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38711 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38710 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38709 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38708 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38707 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38706 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38705 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38704 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38703 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38702 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38701 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38700 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38699 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38698 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38697 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38696 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38695 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38694 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38693 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38692 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38691 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38690 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38689 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38688 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38687 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38686 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38685 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38684 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38683 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38682 <-> ENABLED <-> EXPLOIT-KIT Angler Exploit Kit email gate (exploit-kit.rules) * 1:38681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules) * 1:38680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka GET attempt (malware-cnc.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 3:38735 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38736 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38737 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38738 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38739 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38740 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38741 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38745 <-> ENABLED <-> MALWARE-OTHER known phishing x-mailer attempt (malware-other.rules) * 3:38746 <-> ENABLED <-> MALWARE-CNC CTFMONv4 beacon attempt (malware-cnc.rules) * 3:38747 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38748 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38749 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38750 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38751 <-> ENABLED <-> MALWARE-CNC Jimini outbound connection attempt (malware-cnc.rules) * 3:38752 <-> ENABLED <-> MALWARE-CNC HILIGHT outbound connection attempt (malware-cnc.rules) * 3:38753 <-> ENABLED <-> MALWARE-CNC 1.php outbound connection attempt (malware-cnc.rules) * 3:38754 <-> ENABLED <-> MALWARE-CNC XDOT outbound connection attempt (malware-cnc.rules) * 3:38755 <-> ENABLED <-> MALWARE-CNC PlugX outbound connection attempt (malware-cnc.rules) * 3:38756 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules) * 3:38757 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules) * 3:38758 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
* 1:32313 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules) * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules) * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules) * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38731 <-> ENABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules) * 1:38718 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38717 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38713 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38712 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38707 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38708 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38703 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38702 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38698 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38683 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38684 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules) * 1:38690 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38689 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38687 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38719 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules) * 1:38691 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38742 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38692 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38688 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38693 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38694 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka GET attempt (malware-cnc.rules) * 1:38695 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38697 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38696 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38699 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38700 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38701 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38704 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38705 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38706 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38709 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38710 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38711 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38714 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38715 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38716 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38720 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38721 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38722 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38723 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38682 <-> ENABLED <-> EXPLOIT-KIT Angler Exploit Kit email gate (exploit-kit.rules) * 1:38685 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules) * 1:38726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38686 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VBDos Runtime Detection (malware-cnc.rules) * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules) * 1:38730 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules) * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules) * 1:38728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon (blacklist.rules) * 3:38737 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38738 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38754 <-> ENABLED <-> MALWARE-CNC XDOT outbound connection attempt (malware-cnc.rules) * 3:38750 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38735 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38736 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38747 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38739 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38740 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38741 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38749 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38748 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38751 <-> ENABLED <-> MALWARE-CNC Jimini outbound connection attempt (malware-cnc.rules) * 3:38758 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 3:38746 <-> ENABLED <-> MALWARE-CNC CTFMONv4 beacon attempt (malware-cnc.rules) * 3:38755 <-> ENABLED <-> MALWARE-CNC PlugX outbound connection attempt (malware-cnc.rules) * 3:38756 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules) * 3:38753 <-> ENABLED <-> MALWARE-CNC 1.php outbound connection attempt (malware-cnc.rules) * 3:38757 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules) * 3:38752 <-> ENABLED <-> MALWARE-CNC HILIGHT outbound connection attempt (malware-cnc.rules) * 3:38745 <-> ENABLED <-> MALWARE-OTHER known phishing x-mailer attempt (malware-other.rules)
* 1:32313 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules) * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules) * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules) * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38681 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka POST attempt (malware-cnc.rules) * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules) * 1:38689 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38690 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38687 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38683 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38685 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38684 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38691 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38692 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38693 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules) * 1:38680 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tooka GET attempt (malware-cnc.rules) * 1:38694 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38695 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38682 <-> ENABLED <-> EXPLOIT-KIT Angler Exploit Kit email gate (exploit-kit.rules) * 1:38696 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38697 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38698 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38699 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38700 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38701 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38702 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38703 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38704 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38705 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38707 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38706 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38708 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38709 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38710 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38712 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38711 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38713 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38714 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38715 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38716 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38717 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38718 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38719 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38720 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38722 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38721 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38723 <-> DISABLED <-> SERVER-WEBAPP Wordpress Simple Ads Manager SQL injection attempt (server-webapp.rules) * 1:38724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Renegin outbound GET attempt (malware-cnc.rules) * 1:38725 <-> ENABLED <-> BLACKLIST DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38727 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38726 <-> ENABLED <-> BLACKLIST DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38728 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon (blacklist.rules) * 1:38686 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules) * 1:38742 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules) * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules) * 1:38688 <-> ENABLED <-> MALWARE-BACKDOOR JSP webshell backdoor detected (malware-backdoor.rules) * 1:38731 <-> ENABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules) * 1:38732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VBDos Runtime Detection (malware-cnc.rules) * 1:38733 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ransom variant outbound connection (malware-cnc.rules) * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules) * 1:38730 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules) * 3:38756 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules) * 3:38741 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38740 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38735 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38737 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38738 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38739 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules) * 3:38746 <-> ENABLED <-> MALWARE-CNC CTFMONv4 beacon attempt (malware-cnc.rules) * 3:38748 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38747 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38749 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38750 <-> ENABLED <-> MALWARE-CNC FF-RAT outbound connection attempt (malware-cnc.rules) * 3:38751 <-> ENABLED <-> MALWARE-CNC Jimini outbound connection attempt (malware-cnc.rules) * 3:38752 <-> ENABLED <-> MALWARE-CNC HILIGHT outbound connection attempt (malware-cnc.rules) * 3:38753 <-> ENABLED <-> MALWARE-CNC 1.php outbound connection attempt (malware-cnc.rules) * 3:38754 <-> ENABLED <-> MALWARE-CNC XDOT outbound connection attempt (malware-cnc.rules) * 3:38755 <-> ENABLED <-> MALWARE-CNC PlugX outbound connection attempt (malware-cnc.rules) * 3:38757 <-> ENABLED <-> MALWARE-CNC PlugX outbound communication attempt (malware-cnc.rules) * 3:38758 <-> ENABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules) * 3:38745 <-> ENABLED <-> MALWARE-OTHER known phishing x-mailer attempt (malware-other.rules) * 3:38736 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence XML API authentication bypass attempt (server-webapp.rules)
* 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules) * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules) * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules) * 1:32313 <-> ENABLED <-> FILE-OTHER Microsoft Office ole object external file loading attempt (file-other.rules) * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
