Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-java, file-office, file-other, file-pdf, indicator-obfuscation, indicator-shellcode, malware-cnc, malware-other, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42822 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42825 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42823 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42827 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42824 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42828 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42832 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - SessionI (blacklist.rules) * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules) * 1:42833 <-> ENABLED <-> MALWARE-CNC Kasperagent outbound connection detected (malware-cnc.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules) * 1:42831 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - micro (blacklist.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42849 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules) * 1:42829 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42830 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sublink (blacklist.rules) * 1:42843 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup Appliance download-files command injection attempt (server-webapp.rules) * 1:42826 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42844 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42845 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42846 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42847 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42848 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules) * 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
* 1:30007 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 (exploit-kit.rules) * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules) * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:39568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:39874 <-> DISABLED <-> FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt (file-other.rules) * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules) * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules) * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules) * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules) * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules) * 1:14265 <-> DISABLED <-> PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt (protocol-scada.rules) * 1:16172 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D line set heap corruption attempt (file-pdf.rules) * 1:17323 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped (indicator-shellcode.rules) * 1:18517 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules) * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules) * 1:23236 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder (indicator-shellcode.rules) * 1:24667 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24668 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24669 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24670 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules) * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:30001 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected (exploit-kit.rules) * 1:30006 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP (exploit-kit.rules) * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:30005 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17 (exploit-kit.rules) * 1:30004 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17 (exploit-kit.rules) * 1:30008 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP (exploit-kit.rules) * 1:30009 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older (exploit-kit.rules) * 3:35913 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe authentication attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42848 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules) * 1:42849 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules) * 1:42846 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42847 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42844 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42845 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42843 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup Appliance download-files command injection attempt (server-webapp.rules) * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules) * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42833 <-> ENABLED <-> MALWARE-CNC Kasperagent outbound connection detected (malware-cnc.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42832 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - SessionI (blacklist.rules) * 1:42831 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - micro (blacklist.rules) * 1:42830 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sublink (blacklist.rules) * 1:42828 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42829 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42826 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42827 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42824 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42825 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42822 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42823 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
* 1:30008 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP (exploit-kit.rules) * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules) * 1:14265 <-> DISABLED <-> PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt (protocol-scada.rules) * 1:16172 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D line set heap corruption attempt (file-pdf.rules) * 1:17323 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped (indicator-shellcode.rules) * 1:18517 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules) * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules) * 1:23236 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder (indicator-shellcode.rules) * 1:24667 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24668 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24669 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24670 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules) * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:30001 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected (exploit-kit.rules) * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules) * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules) * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules) * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules) * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules) * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:30009 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older (exploit-kit.rules) * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:39568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:39874 <-> DISABLED <-> FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt (file-other.rules) * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:30006 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP (exploit-kit.rules) * 1:30007 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 (exploit-kit.rules) * 1:30005 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17 (exploit-kit.rules) * 1:30004 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17 (exploit-kit.rules) * 3:35913 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe authentication attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:42852 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42851 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42850 <-> DISABLED <-> SERVER-WEBAPP Dell SonicWALL Global Management System SQL injection attempt (server-webapp.rules) * 1:42849 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules) * 1:42848 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager SQL injection attempt (server-webapp.rules) * 1:42847 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42846 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42845 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42844 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF heap overflow attempt (file-image.rules) * 1:42843 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup Appliance download-files command injection attempt (server-webapp.rules) * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules) * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules) * 1:42840 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog logshares_ajax.php command injection attempt (server-webapp.rules) * 1:42839 <-> DISABLED <-> SERVER-WEBAPP Crypttech CryptoLog login.php SQL injection attempt (server-webapp.rules) * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules) * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules) * 1:42833 <-> ENABLED <-> MALWARE-CNC Kasperagent outbound connection detected (malware-cnc.rules) * 1:42832 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - SessionI (blacklist.rules) * 1:42831 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - micro (blacklist.rules) * 1:42830 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Sublink (blacklist.rules) * 1:42829 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42828 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42827 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42826 <-> DISABLED <-> SERVER-WEBAPP Edimax 802.11AC repeater command injection attempt (server-webapp.rules) * 1:42825 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42824 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42823 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules) * 1:42822 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Carp variant download attempt (malware-other.rules)
* 1:30003 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt (exploit-kit.rules) * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules) * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules) * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:40814 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:40813 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:39874 <-> DISABLED <-> FILE-OTHER Microsoft Windows PDF parsing invalid JPEG2000 SIZ marker attempt (file-other.rules) * 1:39568 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules) * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37010 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules) * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules) * 1:14265 <-> DISABLED <-> PROTOCOL-SCADA Multiple Schneider Electric SCADA products buffer overflow attempt (protocol-scada.rules) * 1:37009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextBlock object use after free attempt (browser-ie.rules) * 1:16172 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D line set heap corruption attempt (file-pdf.rules) * 1:17323 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped (indicator-shellcode.rules) * 1:18517 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer long URL buffer overflow attempt (browser-ie.rules) * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules) * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules) * 1:23236 <-> DISABLED <-> INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder (indicator-shellcode.rules) * 1:24667 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24668 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24669 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:24670 <-> ENABLED <-> EXPLOIT-KIT KaiXin exploit kit attack vector attempt (exploit-kit.rules) * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:25459 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules) * 1:25460 <-> DISABLED <-> FILE-PDF Multiple products incomplete JP2K image geometry potentially malicious PDF detected (file-pdf.rules) * 1:29620 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop malformed PNG detected tRNS overflow attempt (file-image.rules) * 1:29813 <-> DISABLED <-> INDICATOR-OBFUSCATION randomized HTML number encodings detected in clsid access attempt (indicator-obfuscation.rules) * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:30001 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected (exploit-kit.rules) * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31406 <-> DISABLED <-> SERVER-OTHER Samsung TV denial of service attempt (server-other.rules) * 1:30009 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older (exploit-kit.rules) * 1:30006 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP (exploit-kit.rules) * 1:30007 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 (exploit-kit.rules) * 1:30008 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP (exploit-kit.rules) * 1:30005 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17 (exploit-kit.rules) * 1:30004 <-> ENABLED <-> EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17 (exploit-kit.rules) * 3:35913 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe authentication attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
