Talos has added and modified multiple rules in the browser-firefox, browser-ie, deleted, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, os-windows, policy-other, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules) * 1:44176 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules) * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:44141 <-> DISABLED <-> DELETED 29f38b151db94ae1b0364c9a3b4d954b (deleted.rules) * 1:44140 <-> DISABLED <-> DELETED 465b8d28677d4df9bef9b0b97b2c3609 (deleted.rules) * 1:44136 <-> DISABLED <-> DELETED 063fff0fd7d044aa8e84dcf39540e3b5 (deleted.rules) * 1:44134 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules) * 1:44135 <-> DISABLED <-> DELETED 1c6ff935b28d41ea85a64ad5542bb3a3 (deleted.rules) * 1:44132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44133 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules) * 1:44130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44128 <-> DISABLED <-> FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt (file-image.rules) * 1:44129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44124 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules) * 1:44123 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44188 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules) * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44175 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules) * 1:44177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber variant outbound connection (malware-cnc.rules) * 1:44182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules) * 1:44137 <-> DISABLED <-> DELETED 0ae3e21bb5d8420084dca51ec5435eb6 (deleted.rules) * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44138 <-> DISABLED <-> DELETED 84e2cc2e73f840618c410775a5e4dbe1 (deleted.rules) * 1:44139 <-> DISABLED <-> DELETED 71126c2c90c941f5b28b67bd85addb2f (deleted.rules) * 1:44143 <-> DISABLED <-> SERVER-OTHER LCDproc test_func format string code execution attempt (server-other.rules) * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules) * 1:44148 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules) * 1:44150 <-> DISABLED <-> SERVER-WEBAPP IBM Websphere cross site scripting attempt (server-webapp.rules) * 1:44151 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:44153 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44155 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules) * 1:44156 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules) * 1:44157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt (file-office.rules) * 1:44158 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules) * 1:44159 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules) * 1:44165 <-> ENABLED <-> SERVER-WEBAPP websocket protocol upgrade request detected (server-webapp.rules) * 1:44160 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules) * 1:44161 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules) * 1:44185 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules) * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:44171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zurgop variant outbound beaconing connection (malware-cnc.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules) * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 3:44187 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules) * 3:44186 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules) * 3:44168 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules) * 3:44178 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules) * 3:44179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules) * 3:44167 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules) * 3:44163 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules) * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules) * 3:44164 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules) * 3:44162 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0422 attack attempt (policy-other.rules) * 3:44126 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44127 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44142 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0424 attack attempt (policy-other.rules) * 3:44125 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44106 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules) * 3:44107 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)
* 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules) * 1:11836 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules) * 1:13964 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules) * 1:29534 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules) * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules) * 1:26089 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules) * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:33858 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:42944 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules) * 1:41978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules) * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44165 <-> ENABLED <-> SERVER-WEBAPP websocket protocol upgrade request detected (server-webapp.rules) * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44143 <-> DISABLED <-> SERVER-OTHER LCDproc test_func format string code execution attempt (server-other.rules) * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44141 <-> DISABLED <-> DELETED 29f38b151db94ae1b0364c9a3b4d954b (deleted.rules) * 1:44137 <-> DISABLED <-> DELETED 0ae3e21bb5d8420084dca51ec5435eb6 (deleted.rules) * 1:44138 <-> DISABLED <-> DELETED 84e2cc2e73f840618c410775a5e4dbe1 (deleted.rules) * 1:44136 <-> DISABLED <-> DELETED 063fff0fd7d044aa8e84dcf39540e3b5 (deleted.rules) * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44123 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules) * 1:44124 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules) * 1:44128 <-> DISABLED <-> FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt (file-image.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44133 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules) * 1:44134 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules) * 1:44135 <-> DISABLED <-> DELETED 1c6ff935b28d41ea85a64ad5542bb3a3 (deleted.rules) * 1:44139 <-> DISABLED <-> DELETED 71126c2c90c941f5b28b67bd85addb2f (deleted.rules) * 1:44140 <-> DISABLED <-> DELETED 465b8d28677d4df9bef9b0b97b2c3609 (deleted.rules) * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44148 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules) * 1:44149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules) * 1:44150 <-> DISABLED <-> SERVER-WEBAPP IBM Websphere cross site scripting attempt (server-webapp.rules) * 1:44151 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:44153 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44155 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules) * 1:44156 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules) * 1:44157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt (file-office.rules) * 1:44158 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules) * 1:44159 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules) * 1:44160 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules) * 1:44161 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules) * 1:44188 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules) * 1:44185 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules) * 1:44184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules) * 1:44183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules) * 1:44182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber variant outbound connection (malware-cnc.rules) * 1:44176 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules) * 1:44175 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules) * 1:44174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:44173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:44171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zurgop variant outbound beaconing connection (malware-cnc.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 3:44187 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules) * 3:44179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules) * 3:44186 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules) * 3:44168 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules) * 3:44178 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules) * 3:44167 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules) * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules) * 3:44164 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules) * 3:44162 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0422 attack attempt (policy-other.rules) * 3:44163 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules) * 3:44127 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44142 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0424 attack attempt (policy-other.rules) * 3:44125 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44126 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44106 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules) * 3:44107 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)
* 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules) * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:41978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules) * 1:33858 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules) * 1:13964 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules) * 1:26089 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules) * 1:11836 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules) * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules) * 1:42944 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:29534 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44188 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules) * 1:44185 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules) * 1:44184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules) * 1:44183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules) * 1:44182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber variant outbound connection (malware-cnc.rules) * 1:44176 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules) * 1:44175 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules) * 1:44174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:44173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules) * 1:44171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zurgop variant outbound beaconing connection (malware-cnc.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44165 <-> ENABLED <-> SERVER-WEBAPP websocket protocol upgrade request detected (server-webapp.rules) * 1:44161 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules) * 1:44160 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules) * 1:44159 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules) * 1:44158 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules) * 1:44157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt (file-office.rules) * 1:44156 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules) * 1:44155 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules) * 1:44154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44153 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:44151 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules) * 1:44150 <-> DISABLED <-> SERVER-WEBAPP IBM Websphere cross site scripting attempt (server-webapp.rules) * 1:44149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules) * 1:44148 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules) * 1:44143 <-> DISABLED <-> SERVER-OTHER LCDproc test_func format string code execution attempt (server-other.rules) * 1:44141 <-> DISABLED <-> DELETED 29f38b151db94ae1b0364c9a3b4d954b (deleted.rules) * 1:44140 <-> DISABLED <-> DELETED 465b8d28677d4df9bef9b0b97b2c3609 (deleted.rules) * 1:44139 <-> DISABLED <-> DELETED 71126c2c90c941f5b28b67bd85addb2f (deleted.rules) * 1:44138 <-> DISABLED <-> DELETED 84e2cc2e73f840618c410775a5e4dbe1 (deleted.rules) * 1:44137 <-> DISABLED <-> DELETED 0ae3e21bb5d8420084dca51ec5435eb6 (deleted.rules) * 1:44136 <-> DISABLED <-> DELETED 063fff0fd7d044aa8e84dcf39540e3b5 (deleted.rules) * 1:44135 <-> DISABLED <-> DELETED 1c6ff935b28d41ea85a64ad5542bb3a3 (deleted.rules) * 1:44134 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules) * 1:44133 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules) * 1:44132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules) * 1:44128 <-> DISABLED <-> FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt (file-image.rules) * 1:44124 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules) * 1:44123 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules) * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules) * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules) * 3:44186 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules) * 3:44187 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules) * 3:44178 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules) * 3:44179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules) * 3:44167 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules) * 3:44168 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules) * 3:44164 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules) * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules) * 3:44162 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0422 attack attempt (policy-other.rules) * 3:44163 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules) * 3:44127 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44142 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0424 attack attempt (policy-other.rules) * 3:44126 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44107 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules) * 3:44125 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules) * 3:44106 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)
* 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules) * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules) * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules) * 1:42944 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules) * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules) * 1:41978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules) * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:33858 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules) * 1:26089 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules) * 1:29534 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules) * 1:13964 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules) * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules) * 1:11836 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules) * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
