Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-executable, file-identify, file-multimedia, file-office, file-other, malware-cnc, netbios, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44733 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules) * 1:44744 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44745 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44746 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44747 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44748 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44749 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44751 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44752 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44730 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt (browser-ie.rules) * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules) * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44736 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules) * 1:44737 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules) * 1:44732 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules) * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules) * 1:44729 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt (browser-ie.rules) * 1:44731 <-> DISABLED <-> SERVER-WEBAPP Tuleap getRecentElements PHP object injection attempt (server-webapp.rules) * 3:44750 <-> ENABLED <-> SERVER-WEBAPP ASUS RP-AC52 login.cgi stack buffer overflow attempt (server-webapp.rules)
* 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules) * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:29358 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Mowfote (blacklist.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:28961 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules) * 1:28962 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules) * 1:28508 <-> ENABLED <-> FILE-IDENTIFY Microsoft Write file download file attachment detected (file-identify.rules) * 1:28507 <-> ENABLED <-> FILE-IDENTIFY Microsoft Write file download file attachment detected (file-identify.rules) * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules) * 1:27646 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra login request buffer overflow attempt (server-other.rules) * 1:27741 <-> ENABLED <-> EXPLOIT-KIT Zip file downloaded by Java (exploit-kit.rules) * 1:26831 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules) * 1:27110 <-> DISABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:26830 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules) * 1:26423 <-> ENABLED <-> FILE-IDENTIFY Metalink File file attachment detected (file-identify.rules) * 1:26424 <-> DISABLED <-> FILE-IDENTIFY Metalink File file download request (file-identify.rules) * 1:26065 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules) * 1:26422 <-> ENABLED <-> FILE-IDENTIFY Metalink File file attachment detected (file-identify.rules) * 1:26063 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file download request (file-identify.rules) * 1:26064 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules) * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules) * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules) * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules) * 1:25252 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt (file-executable.rules) * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules) * 1:24509 <-> ENABLED <-> FILE-IDENTIFY rmf file download request (file-identify.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (file-identify.rules) * 1:14057 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - DMFR (blacklist.rules) * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules) * 1:16475 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules) * 1:16758 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand andx create tree attempt (netbios.rules) * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:31971 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:16759 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand create tree attempt (netbios.rules) * 1:16760 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules) * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules) * 1:16761 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand unicode create tree attempt (netbios.rules) * 1:13473 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file download request (file-identify.rules) * 1:12807 <-> ENABLED <-> FILE-IDENTIFY Lotus 123 file attachment (file-identify.rules) * 1:17106 <-> ENABLED <-> FILE-IDENTIFY download of RMF file - potentially malicious (file-identify.rules) * 1:20452 <-> DISABLED <-> FILE-IDENTIFY GZip file magic detected (file-identify.rules) * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules) * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules) * 1:21884 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file attachment detected (file-identify.rules) * 1:21885 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file attachment detected (file-identify.rules) * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules) * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules) * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules) * 1:21955 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file magic detected (file-identify.rules) * 1:21956 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules) * 1:21957 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules) * 1:22082 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file download request (file-identify.rules) * 1:22083 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules) * 1:22084 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules) * 1:22963 <-> ENABLED <-> FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected (file-identify.rules) * 1:22964 <-> ENABLED <-> FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected (file-identify.rules) * 1:23346 <-> DISABLED <-> FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt (file-other.rules) * 1:23347 <-> ENABLED <-> FILE-IDENTIFY Lotus file download request (file-identify.rules) * 1:23348 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules) * 1:23349 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:24158 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:24156 <-> DISABLED <-> FILE-IDENTIFY .rtx file download request (file-identify.rules) * 1:24157 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules) * 1:24072 <-> ENABLED <-> FILE-IDENTIFY GZip file attachment detected (file-identify.rules) * 1:24073 <-> ENABLED <-> FILE-IDENTIFY GZip file attachment detected (file-identify.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:24029 <-> DISABLED <-> FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt (file-other.rules) * 1:24071 <-> DISABLED <-> FILE-IDENTIFY GZip file download request (file-identify.rules) * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:23767 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file magic detected (file-identify.rules) * 1:23641 <-> DISABLED <-> FILE-IDENTIFY GZip file magic detected (file-identify.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31701 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request (exploit-kit.rules) * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules) * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:34171 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules) * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules) * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules) * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules) * 1:40120 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules) * 1:40119 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules) * 1:40118 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file download request (file-identify.rules) * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:34720 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download (exploit-kit.rules) * 1:35006 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:35007 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:5740 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows HTML help workshop file download request (file-identify.rules) * 1:35008 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:35009 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:23708 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules) * 3:41538 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN memory corruption attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules) * 1:44732 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules) * 1:44751 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44752 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44748 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44749 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44746 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44747 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44744 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44745 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules) * 1:44729 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt (browser-ie.rules) * 1:44731 <-> DISABLED <-> SERVER-WEBAPP Tuleap getRecentElements PHP object injection attempt (server-webapp.rules) * 1:44733 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules) * 1:44737 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules) * 1:44730 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt (browser-ie.rules) * 1:44736 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules) * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 3:44750 <-> ENABLED <-> SERVER-WEBAPP ASUS RP-AC52 login.cgi stack buffer overflow attempt (server-webapp.rules)
* 1:31701 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request (exploit-kit.rules) * 1:23348 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules) * 1:23349 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules) * 1:23346 <-> DISABLED <-> FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt (file-other.rules) * 1:23347 <-> ENABLED <-> FILE-IDENTIFY Lotus file download request (file-identify.rules) * 1:22964 <-> ENABLED <-> FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected (file-identify.rules) * 1:22084 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules) * 1:22963 <-> ENABLED <-> FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected (file-identify.rules) * 1:22082 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file download request (file-identify.rules) * 1:22083 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules) * 1:21956 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules) * 1:21957 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules) * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules) * 1:21955 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file magic detected (file-identify.rules) * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules) * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules) * 1:21884 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file attachment detected (file-identify.rules) * 1:21885 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file attachment detected (file-identify.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules) * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules) * 1:17106 <-> ENABLED <-> FILE-IDENTIFY download of RMF file - potentially malicious (file-identify.rules) * 1:20452 <-> DISABLED <-> FILE-IDENTIFY GZip file magic detected (file-identify.rules) * 1:16760 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules) * 1:16759 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand create tree attempt (netbios.rules) * 1:16758 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand andx create tree attempt (netbios.rules) * 1:16475 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules) * 1:14057 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - DMFR (blacklist.rules) * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules) * 1:12807 <-> ENABLED <-> FILE-IDENTIFY Lotus 123 file attachment (file-identify.rules) * 1:13473 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file download request (file-identify.rules) * 1:16761 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand unicode create tree attempt (netbios.rules) * 1:23641 <-> DISABLED <-> FILE-IDENTIFY GZip file magic detected (file-identify.rules) * 1:23708 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules) * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules) * 1:23767 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file magic detected (file-identify.rules) * 1:24029 <-> DISABLED <-> FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt (file-other.rules) * 1:24071 <-> DISABLED <-> FILE-IDENTIFY GZip file download request (file-identify.rules) * 1:24072 <-> ENABLED <-> FILE-IDENTIFY GZip file attachment detected (file-identify.rules) * 1:24073 <-> ENABLED <-> FILE-IDENTIFY GZip file attachment detected (file-identify.rules) * 1:24156 <-> DISABLED <-> FILE-IDENTIFY .rtx file download request (file-identify.rules) * 1:24157 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules) * 1:24158 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules) * 1:24509 <-> ENABLED <-> FILE-IDENTIFY rmf file download request (file-identify.rules) * 1:25252 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt (file-executable.rules) * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules) * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules) * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules) * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules) * 1:26063 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file download request (file-identify.rules) * 1:26064 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules) * 1:26065 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules) * 1:26422 <-> ENABLED <-> FILE-IDENTIFY Metalink File file attachment detected (file-identify.rules) * 1:26423 <-> ENABLED <-> FILE-IDENTIFY Metalink File file attachment detected (file-identify.rules) * 1:26424 <-> DISABLED <-> FILE-IDENTIFY Metalink File file download request (file-identify.rules) * 1:35009 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules) * 1:35007 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:35008 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:34720 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download (exploit-kit.rules) * 1:35006 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules) * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:34171 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules) * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:31971 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules) * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:26830 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules) * 1:26831 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules) * 1:27110 <-> DISABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules) * 1:27646 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra login request buffer overflow attempt (server-other.rules) * 1:27741 <-> ENABLED <-> EXPLOIT-KIT Zip file downloaded by Java (exploit-kit.rules) * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules) * 1:28507 <-> ENABLED <-> FILE-IDENTIFY Microsoft Write file download file attachment detected (file-identify.rules) * 1:28508 <-> ENABLED <-> FILE-IDENTIFY Microsoft Write file download file attachment detected (file-identify.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules) * 1:28961 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules) * 1:28962 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:29358 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Mowfote (blacklist.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules) * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules) * 1:5740 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows HTML help workshop file download request (file-identify.rules) * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules) * 1:40120 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules) * 1:40118 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file download request (file-identify.rules) * 1:40119 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules) * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (file-identify.rules) * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 3:41538 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN memory corruption attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44752 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44751 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44749 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44748 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44747 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44746 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44745 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44744 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:44743 <-> DISABLED <-> SERVER-OTHER libupnp command buffer overflow attempt (server-other.rules) * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules) * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules) * 1:44737 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules) * 1:44736 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules) * 1:44735 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules) * 1:44734 <-> DISABLED <-> SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt (server-mail.rules) * 1:44733 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules) * 1:44732 <-> DISABLED <-> BROWSER-PLUGINS Mitsubishi MC-WorkX ActiveX clsid access attempt (browser-plugins.rules) * 1:44731 <-> DISABLED <-> SERVER-WEBAPP Tuleap getRecentElements PHP object injection attempt (server-webapp.rules) * 1:44730 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt (browser-ie.rules) * 1:44729 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer script action handler buffer overflow attempt (browser-ie.rules) * 3:44750 <-> ENABLED <-> SERVER-WEBAPP ASUS RP-AC52 login.cgi stack buffer overflow attempt (server-webapp.rules)
* 1:8445 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt (file-office.rules) * 1:5740 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows HTML help workshop file download request (file-identify.rules) * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:40120 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules) * 1:40119 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules) * 1:40118 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file download request (file-identify.rules) * 1:39903 <-> ENABLED <-> FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt (file-office.rules) * 1:3819 <-> ENABLED <-> FILE-IDENTIFY CHM file download request (file-identify.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules) * 1:35009 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:35008 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:35007 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:35006 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt (server-webapp.rules) * 1:34720 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download (exploit-kit.rules) * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules) * 1:34331 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download (exploit-kit.rules) * 1:34330 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download (exploit-kit.rules) * 1:34171 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:31971 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules) * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:31870 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules) * 1:31869 <-> ENABLED <-> FILE-IDENTIFY JPEG file download request (file-identify.rules) * 1:31868 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:31867 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:31866 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:31865 <-> ENABLED <-> FILE-IDENTIFY JPEG file attachment detected (file-identify.rules) * 1:31701 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:31371 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:31332 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:30909 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30906 <-> ENABLED <-> FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt (file-other.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:29358 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent - Win.Trojan.Mowfote (blacklist.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:28962 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules) * 1:28961 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer RealMedia URL length buffer overflow attempt (file-multimedia.rules) * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28508 <-> ENABLED <-> FILE-IDENTIFY Microsoft Write file download file attachment detected (file-identify.rules) * 1:28507 <-> ENABLED <-> FILE-IDENTIFY Microsoft Write file download file attachment detected (file-identify.rules) * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules) * 1:27741 <-> ENABLED <-> EXPLOIT-KIT Zip file downloaded by Java (exploit-kit.rules) * 1:27646 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra login request buffer overflow attempt (server-other.rules) * 1:27110 <-> DISABLED <-> EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request (exploit-kit.rules) * 1:26831 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules) * 1:26830 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSComctlLib.Toolbar ActiveX control access (file-office.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:26424 <-> DISABLED <-> FILE-IDENTIFY Metalink File file download request (file-identify.rules) * 1:26423 <-> ENABLED <-> FILE-IDENTIFY Metalink File file attachment detected (file-identify.rules) * 1:26422 <-> ENABLED <-> FILE-IDENTIFY Metalink File file attachment detected (file-identify.rules) * 1:26065 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules) * 1:26064 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file attachment detected (file-identify.rules) * 1:26063 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word docm file download request (file-identify.rules) * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules) * 1:25515 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file magic detected (file-identify.rules) * 1:25514 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules) * 1:25513 <-> ENABLED <-> FILE-IDENTIFY Portable Executable download detected (file-identify.rules) * 1:25252 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows .NET Framework System.Uri.ReCreateParts System.Uri.PathAndQuery overflow attempt (file-executable.rules) * 1:24509 <-> ENABLED <-> FILE-IDENTIFY rmf file download request (file-identify.rules) * 1:24158 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules) * 1:24157 <-> ENABLED <-> FILE-IDENTIFY .rtx file attachment detected (file-identify.rules) * 1:24156 <-> DISABLED <-> FILE-IDENTIFY .rtx file download request (file-identify.rules) * 1:24073 <-> ENABLED <-> FILE-IDENTIFY GZip file attachment detected (file-identify.rules) * 1:24072 <-> ENABLED <-> FILE-IDENTIFY GZip file attachment detected (file-identify.rules) * 1:24071 <-> DISABLED <-> FILE-IDENTIFY GZip file download request (file-identify.rules) * 1:24029 <-> DISABLED <-> FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt (file-other.rules) * 1:23767 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file magic detected (file-identify.rules) * 1:23766 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules) * 1:23708 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules) * 1:23641 <-> DISABLED <-> FILE-IDENTIFY GZip file magic detected (file-identify.rules) * 1:23349 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules) * 1:23348 <-> ENABLED <-> FILE-IDENTIFY Lotus file attachment detected (file-identify.rules) * 1:23347 <-> ENABLED <-> FILE-IDENTIFY Lotus file download request (file-identify.rules) * 1:23346 <-> DISABLED <-> FILE-OTHER Oracle outside in Lotus 1-2-3 heap overflow attempt (file-other.rules) * 1:22964 <-> ENABLED <-> FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected (file-identify.rules) * 1:22963 <-> ENABLED <-> FILE-IDENTIFY RealNetworks RealPlayer RMP file attachment detected (file-identify.rules) * 1:22084 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules) * 1:22083 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file attachment detected (file-identify.rules) * 1:22082 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office PowerPoint pptx file download request (file-identify.rules) * 1:21957 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules) * 1:21956 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows hlp file attachment detected (file-identify.rules) * 1:21955 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows hlp file magic detected (file-identify.rules) * 1:21940 <-> ENABLED <-> FILE-IDENTIFY EMF file magic detected (file-identify.rules) * 1:21909 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules) * 1:21908 <-> ENABLED <-> FILE-IDENTIFY Portable Executable file attachment detected (file-identify.rules) * 1:21885 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file attachment detected (file-identify.rules) * 1:21884 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file attachment detected (file-identify.rules) * 1:21479 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:21478 <-> ENABLED <-> FILE-IDENTIFY CHM file attachment detected (file-identify.rules) * 1:20851 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules) * 1:20850 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected (file-identify.rules) * 1:20452 <-> DISABLED <-> FILE-IDENTIFY GZip file magic detected (file-identify.rules) * 1:17106 <-> ENABLED <-> FILE-IDENTIFY download of RMF file - potentially malicious (file-identify.rules) * 1:16761 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand unicode create tree attempt (netbios.rules) * 1:13473 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Publisher file download request (file-identify.rules) * 1:16760 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand unicode andx create tree attempt (netbios.rules) * 1:16759 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand create tree attempt (netbios.rules) * 1:16758 <-> ENABLED <-> NETBIOS SMB /PlughNTCommand andx create tree attempt (netbios.rules) * 1:16475 <-> DISABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected (file-identify.rules) * 1:16425 <-> ENABLED <-> FILE-IDENTIFY Portable Executable binary file download request (file-identify.rules) * 1:14057 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent - DMFR (blacklist.rules) * 1:12807 <-> ENABLED <-> FILE-IDENTIFY Lotus 123 file attachment (file-identify.rules) * 3:41538 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN memory corruption attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
