Talos has added and modified multiple rules in the blacklist, browser-ie, file-identify, file-office, file-other, file-pdf, malware-cnc, malware-other, os-linux, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44776 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44764 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple editusertag.php arbitrary PHP code execution attempt (server-webapp.rules) * 1:44762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules) * 1:44763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules) * 1:44760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules) * 1:44761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules) * 1:44759 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44758 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44757 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:44753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stimilina variant outbound connection detected (malware-cnc.rules) * 1:44755 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence inbound download (malware-cnc.rules) * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence outbound request (malware-cnc.rules) * 1:44772 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules) * 1:44773 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules) * 1:44774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44782 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44783 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44784 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44785 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44786 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection attempt (malware-cnc.rules) * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules) * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules) * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules) * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup cnc communication attempt (malware-cnc.rules) * 1:44771 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence monitoring module download (malware-cnc.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44796 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules) * 1:44795 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules) * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44766 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules) * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence cnc module download (malware-cnc.rules) * 1:44767 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server cm_agent.php command injection attempt (server-webapp.rules) * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44765 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules) * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
* 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:24648 <-> DISABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules) * 1:25064 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules) * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:29593 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera CSRF attempt (server-webapp.rules) * 1:25063 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules) * 1:29595 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera directory traversal attempt (server-webapp.rules) * 1:29594 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera information leak attempt (server-webapp.rules) * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:31205 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules) * 1:31204 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules) * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules) * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules) * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44434 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server possible OPTIONS method memory leak attempt (server-apache.rules) * 1:44103 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules) * 1:44104 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules) * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:32671 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:41853 <-> DISABLED <-> OS-LINUX cURL and libcurl set-cookie remote code execution attempt (os-linux.rules) * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules) * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 1:44098 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript launchURL command injection and remote code execution attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence inbound download (malware-cnc.rules) * 1:44766 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules) * 1:44768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence outbound request (malware-cnc.rules) * 1:44767 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server cm_agent.php command injection attempt (server-webapp.rules) * 1:44772 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules) * 1:44773 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules) * 1:44774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44776 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stimilina variant outbound connection detected (malware-cnc.rules) * 1:44754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44755 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:44757 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44758 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44759 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules) * 1:44761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules) * 1:44762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules) * 1:44780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules) * 1:44764 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple editusertag.php arbitrary PHP code execution attempt (server-webapp.rules) * 1:44781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44782 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44783 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44784 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44785 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44786 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection attempt (malware-cnc.rules) * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules) * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules) * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules) * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup cnc communication attempt (malware-cnc.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44795 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules) * 1:44796 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules) * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44771 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence monitoring module download (malware-cnc.rules) * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence cnc module download (malware-cnc.rules) * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44765 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules) * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
* 1:41853 <-> DISABLED <-> OS-LINUX cURL and libcurl set-cookie remote code execution attempt (os-linux.rules) * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:24648 <-> DISABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules) * 1:25064 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules) * 1:25063 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules) * 1:29593 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera CSRF attempt (server-webapp.rules) * 1:29595 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera directory traversal attempt (server-webapp.rules) * 1:31204 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules) * 1:31205 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules) * 1:29594 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera information leak attempt (server-webapp.rules) * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:32671 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 1:44098 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript launchURL command injection and remote code execution attempt (file-pdf.rules) * 1:44103 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules) * 1:44104 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules) * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44434 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server possible OPTIONS method memory leak attempt (server-apache.rules) * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules) * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules) * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules) * 1:44796 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules) * 1:44795 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules) * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules) * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules) * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup cnc communication attempt (malware-cnc.rules) * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules) * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules) * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules) * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection attempt (malware-cnc.rules) * 1:44786 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44785 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44784 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44783 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules) * 1:44782 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules) * 1:44779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44776 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules) * 1:44773 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules) * 1:44772 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules) * 1:44771 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence monitoring module download (malware-cnc.rules) * 1:44770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence cnc module download (malware-cnc.rules) * 1:44769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence inbound download (malware-cnc.rules) * 1:44768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence outbound request (malware-cnc.rules) * 1:44767 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server cm_agent.php command injection attempt (server-webapp.rules) * 1:44766 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules) * 1:44765 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules) * 1:44764 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple editusertag.php arbitrary PHP code execution attempt (server-webapp.rules) * 1:44763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules) * 1:44762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules) * 1:44761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules) * 1:44760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules) * 1:44759 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44758 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44757 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules) * 1:44755 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules) * 1:44753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stimilina variant outbound connection detected (malware-cnc.rules)
* 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules) * 1:24648 <-> DISABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules) * 1:25063 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules) * 1:25064 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules) * 1:29593 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera CSRF attempt (server-webapp.rules) * 1:29594 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera information leak attempt (server-webapp.rules) * 1:29595 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera directory traversal attempt (server-webapp.rules) * 1:31204 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules) * 1:31205 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules) * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:32671 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules) * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules) * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules) * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:41853 <-> DISABLED <-> OS-LINUX cURL and libcurl set-cookie remote code execution attempt (os-linux.rules) * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules) * 1:44098 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript launchURL command injection and remote code execution attempt (file-pdf.rules) * 1:44103 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules) * 1:44104 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules) * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules) * 1:44434 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server possible OPTIONS method memory leak attempt (server-apache.rules) * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules) * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)