Talos has added and modified multiple rules in the file-identify, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42363 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 1:42323 <-> DISABLED <-> SERVER-WEBAPP IOServer OPC Server directory traversal exploitation attempt (server-webapp.rules) * 1:42374 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules) * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42373 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42375 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42368 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42370 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42369 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42367 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42371 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42324 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules) * 1:42325 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules) * 1:42326 <-> ENABLED <-> SERVER-OTHER Zabbix Server Trapper code execution attempt (server-other.rules) * 1:42327 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules) * 1:42328 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules) * 1:42329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (malware-cnc.rules) * 1:42330 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (malware-cnc.rules) * 1:42333 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42334 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42335 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42336 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt (server-webapp.rules) * 1:42337 <-> DISABLED <-> INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected (indicator-compromise.rules) * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request information leak attempt (os-windows.rules) * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:42341 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42343 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42345 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42346 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42347 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection attempt (malware-cnc.rules) * 1:42349 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42350 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42351 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42354 <-> DISABLED <-> SERVER-WEBAPP Squirrelmail sendmail delivery parameter injection attempt (server-webapp.rules) * 1:42355 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42356 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42357 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42358 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42359 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42376 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42360 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42361 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42362 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42366 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42364 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 1:42365 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 3:42314 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules) * 3:42352 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules) * 3:42322 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules) * 3:42353 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules) * 3:42320 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules) * 3:42319 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules) * 3:42321 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules) * 3:42313 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)
* 1:42256 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42363 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 1:42329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (malware-cnc.rules) * 1:42330 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (malware-cnc.rules) * 1:42327 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules) * 1:42328 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules) * 1:42325 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules) * 1:42326 <-> ENABLED <-> SERVER-OTHER Zabbix Server Trapper code execution attempt (server-other.rules) * 1:42323 <-> DISABLED <-> SERVER-WEBAPP IOServer OPC Server directory traversal exploitation attempt (server-webapp.rules) * 1:42324 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules) * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules) * 1:42333 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42334 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42335 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42336 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt (server-webapp.rules) * 1:42337 <-> DISABLED <-> INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected (indicator-compromise.rules) * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request information leak attempt (os-windows.rules) * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:42341 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42343 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42345 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42346 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42347 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection attempt (malware-cnc.rules) * 1:42349 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42350 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42351 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42354 <-> DISABLED <-> SERVER-WEBAPP Squirrelmail sendmail delivery parameter injection attempt (server-webapp.rules) * 1:42355 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42356 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42357 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42358 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42359 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42360 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42361 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42362 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42376 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42375 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42374 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42373 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42371 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42370 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42369 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42368 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42367 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42365 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 1:42366 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42364 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 3:42353 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules) * 3:42322 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules) * 3:42352 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules) * 3:42320 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules) * 3:42321 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules) * 3:42314 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules) * 3:42319 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules) * 3:42313 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules)
* 1:42256 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42376 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42375 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42374 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42373 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42372 <-> DISABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42371 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42370 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42369 <-> ENABLED <-> FILE-IDENTIFY gzip compressed file detected (file-identify.rules) * 1:42368 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42367 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42366 <-> ENABLED <-> FILE-IDENTIFY XZ compressed file detected (file-identify.rules) * 1:42365 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 1:42364 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 1:42363 <-> ENABLED <-> FILE-IDENTIFY bzip2 compressed file detected (file-identify.rules) * 1:42362 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42361 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42360 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42359 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42358 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42357 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42356 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42355 <-> DISABLED <-> SERVER-OTHER 389-ds-base bind code execution attempt (server-other.rules) * 1:42354 <-> DISABLED <-> SERVER-WEBAPP Squirrelmail sendmail delivery parameter injection attempt (server-webapp.rules) * 1:42351 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42350 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42349 <-> DISABLED <-> PROTOCOL-SCADA InduSoft Web Studio CEServer buffer overflow attempt (protocol-scada.rules) * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection attempt (malware-cnc.rules) * 1:42347 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42346 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42345 <-> DISABLED <-> SERVER-WEBAPP Tenable Appliance simpleupload.py command injection attempt (server-webapp.rules) * 1:42344 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42343 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42342 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42341 <-> DISABLED <-> FILE-PDF Adobe PDF CFF font parsing memory corruption vulnerability attempt (file-pdf.rules) * 1:42340 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (os-windows.rules) * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules) * 1:42338 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request information leak attempt (os-windows.rules) * 1:42337 <-> DISABLED <-> INDICATOR-COMPROMISE Zabbix Proxy configuration containing script detected (indicator-compromise.rules) * 1:42336 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt (server-webapp.rules) * 1:42335 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42334 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42333 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt (server-webapp.rules) * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:42330 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (malware-cnc.rules) * 1:42329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (malware-cnc.rules) * 1:42328 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules) * 1:42327 <-> DISABLED <-> SERVER-WEBAPP Cpanel cgiemail format string code execution attempt (server-webapp.rules) * 1:42326 <-> ENABLED <-> SERVER-OTHER Zabbix Server Trapper code execution attempt (server-other.rules) * 1:42325 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules) * 1:42324 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader overly large segment size out of bounds read attempt (file-image.rules) * 1:42323 <-> DISABLED <-> SERVER-WEBAPP IOServer OPC Server directory traversal exploitation attempt (server-webapp.rules) * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules) * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules) * 3:42313 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules) * 3:42314 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0322 attack attempt (file-pdf.rules) * 3:42319 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules) * 3:42320 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0321 attack attempt (file-pdf.rules) * 3:42321 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules) * 3:42322 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0324 attack attempt (file-other.rules) * 3:42352 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules) * 3:42353 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0319 attack attempt (file-pdf.rules)
* 1:42256 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
