Talos has added and modified multiple rules in the deleted, file-flash, file-office, file-pdf, malware-cnc, protocol-scada, server-apache, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45092 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection (malware-cnc.rules) * 1:45094 <-> DISABLED <-> SERVER-WEBAPP MediaWiki arbitrary file write attempt (server-webapp.rules) * 1:45099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant inbound connection (malware-cnc.rules) * 1:45082 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails log file manipulation attempt (server-webapp.rules) * 1:44869 <-> DISABLED <-> DELETED rZWXwyJ8bPnkrEyUfMbl (deleted.rules) * 1:45095 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant outbound connection (malware-cnc.rules) * 1:45084 <-> DISABLED <-> SERVER-APACHE Apache Solr xmlparser external doctype or entity expansion attempt (server-apache.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:44868 <-> DISABLED <-> DELETED ttP2cWhxHiaW4S7ZGfi6 (deleted.rules) * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules) * 1:45090 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection (malware-cnc.rules) * 1:45091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection (malware-cnc.rules) * 1:45097 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant inbound connection (malware-cnc.rules) * 1:44870 <-> DISABLED <-> DELETED MzxoBYWaxvjLcsmkxZjK (deleted.rules) * 1:44867 <-> DISABLED <-> DELETED qYHcy2wy7PRGLrt918ZR (deleted.rules) * 1:45100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant outbound connection (malware-cnc.rules) * 1:45083 <-> DISABLED <-> SERVER-APACHE Apache Solr RunExecutableListener arbitrary command execution attempt (server-apache.rules) * 1:45096 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant inbound connection (malware-cnc.rules) * 1:45098 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant outbound connection (malware-cnc.rules) * 1:45085 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:45101 <-> DISABLED <-> PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt (protocol-scada.rules) * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules) * 3:45103 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules) * 3:45102 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules) * 3:45086 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0494 attack attempt (server-webapp.rules) * 3:45106 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules) * 3:45105 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules) * 3:45088 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0502 attack attempt (server-webapp.rules) * 3:45089 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0501 attack attempt (server-other.rules)
* 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules) * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection (malware-cnc.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection (malware-cnc.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41337 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules) * 1:41336 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules) * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:34863 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules) * 1:34870 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules) * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules) * 1:34862 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules) * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules) * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules) * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:41331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scudy outbound connection (malware-cnc.rules) * 1:41334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules) * 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules) * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection (malware-cnc.rules) * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules) * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules) * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules) * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules) * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules) * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection (malware-cnc.rules) * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules) * 1:40368 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules) * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40369 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules) * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules) * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection (malware-cnc.rules) * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules) * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection (malware-cnc.rules) * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules) * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules) * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection (malware-cnc.rules) * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection (malware-cnc.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules) * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules) * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules) * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules) * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules) * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules) * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules) * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules) * 1:34998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bossabot outbound connection (malware-cnc.rules) * 1:34932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shindo outbound connection (malware-cnc.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:34871 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules) * 1:34888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules) * 1:34887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules) * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection (malware-cnc.rules) * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connection (malware-cnc.rules) * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules) * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbound connection (malware-cnc.rules) * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection (malware-cnc.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant outbound connection (malware-cnc.rules) * 1:29955 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules) * 1:30251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mumawow outbound connection (malware-cnc.rules) * 1:28411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules) * 1:29895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:28410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules) * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection (malware-cnc.rules) * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules) * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eorezo variant outbound connection (malware-cnc.rules) * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules) * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules) * 1:44211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules) * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules) * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection (malware-cnc.rules) * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection (malware-cnc.rules) * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection (malware-cnc.rules) * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound connection (malware-cnc.rules) * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules) * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules) * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules) * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:42447 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Batlopma variant outbound connection (malware-cnc.rules) * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules) * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules) * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules) * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules) * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection (malware-cnc.rules) * 1:42452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Frethog variant outbound connection (malware-cnc.rules) * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules) * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection (malware-cnc.rules) * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection (malware-cnc.rules) * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection (malware-cnc.rules) * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection (malware-cnc.rules) * 1:42929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Niramdat variant initial outbound connection (malware-cnc.rules) * 1:42083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downeks variant initial outbound connection (malware-cnc.rules) * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules) * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules) * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules) * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules) * 1:44212 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules) * 1:44313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Totbrick variant outbound connection (malware-cnc.rules) * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules) * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection (malware-cnc.rules) * 1:42079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules) * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection (malware-cnc.rules) * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules) * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules) * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules) * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound connection (malware-cnc.rules) * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ellell variant outbound connection (malware-cnc.rules) * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound connection (malware-cnc.rules) * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules) * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules) * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection (malware-cnc.rules) * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup variant outbound connection (malware-cnc.rules) * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules) * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules) * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules) * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection (malware-cnc.rules) * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem variant outbound connection (malware-cnc.rules) * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 3:45049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0493 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant outbound connection (malware-cnc.rules) * 1:44870 <-> DISABLED <-> DELETED MzxoBYWaxvjLcsmkxZjK (deleted.rules) * 1:44867 <-> DISABLED <-> DELETED qYHcy2wy7PRGLrt918ZR (deleted.rules) * 1:45097 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant inbound connection (malware-cnc.rules) * 1:45091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection (malware-cnc.rules) * 1:45098 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant outbound connection (malware-cnc.rules) * 1:45084 <-> DISABLED <-> SERVER-APACHE Apache Solr xmlparser external doctype or entity expansion attempt (server-apache.rules) * 1:45096 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant inbound connection (malware-cnc.rules) * 1:44869 <-> DISABLED <-> DELETED rZWXwyJ8bPnkrEyUfMbl (deleted.rules) * 1:45099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant inbound connection (malware-cnc.rules) * 1:45082 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails log file manipulation attempt (server-webapp.rules) * 1:45083 <-> DISABLED <-> SERVER-APACHE Apache Solr RunExecutableListener arbitrary command execution attempt (server-apache.rules) * 1:45094 <-> DISABLED <-> SERVER-WEBAPP MediaWiki arbitrary file write attempt (server-webapp.rules) * 1:45092 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection (malware-cnc.rules) * 1:45090 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection (malware-cnc.rules) * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules) * 1:45085 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:45095 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant outbound connection (malware-cnc.rules) * 1:44868 <-> DISABLED <-> DELETED ttP2cWhxHiaW4S7ZGfi6 (deleted.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:45101 <-> DISABLED <-> PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt (protocol-scada.rules) * 3:45089 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0501 attack attempt (server-other.rules) * 3:45106 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules) * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules) * 3:45088 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0502 attack attempt (server-webapp.rules) * 3:45103 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules) * 3:45086 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0494 attack attempt (server-webapp.rules) * 3:45105 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules) * 3:45102 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules)
* 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44212 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules) * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection (malware-cnc.rules) * 1:44211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules) * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules) * 1:43457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eorezo variant outbound connection (malware-cnc.rules) * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules) * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules) * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules) * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection (malware-cnc.rules) * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules) * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules) * 1:42929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Niramdat variant initial outbound connection (malware-cnc.rules) * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection (malware-cnc.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection (malware-cnc.rules) * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection (malware-cnc.rules) * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules) * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules) * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules) * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection (malware-cnc.rules) * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules) * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules) * 1:42452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Frethog variant outbound connection (malware-cnc.rules) * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules) * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:42447 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Batlopma variant outbound connection (malware-cnc.rules) * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules) * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules) * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound connection (malware-cnc.rules) * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules) * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection (malware-cnc.rules) * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection (malware-cnc.rules) * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules) * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection (malware-cnc.rules) * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection (malware-cnc.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:42083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downeks variant initial outbound connection (malware-cnc.rules) * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection (malware-cnc.rules) * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection (malware-cnc.rules) * 1:41337 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules) * 1:41336 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules) * 1:41331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scudy outbound connection (malware-cnc.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:41334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules) * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules) * 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection (malware-cnc.rules) * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules) * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules) * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules) * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules) * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules) * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules) * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection (malware-cnc.rules) * 1:40369 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules) * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40368 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules) * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection (malware-cnc.rules) * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules) * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules) * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules) * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection (malware-cnc.rules) * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection (malware-cnc.rules) * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules) * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules) * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection (malware-cnc.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules) * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules) * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules) * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules) * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules) * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules) * 1:34998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bossabot outbound connection (malware-cnc.rules) * 1:34932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shindo outbound connection (malware-cnc.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:34887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules) * 1:34888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules) * 1:34871 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules) * 1:28410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules) * 1:28411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules) * 1:29895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:29955 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules) * 1:30251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mumawow outbound connection (malware-cnc.rules) * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection (malware-cnc.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant outbound connection (malware-cnc.rules) * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbound connection (malware-cnc.rules) * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connection (malware-cnc.rules) * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules) * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection (malware-cnc.rules) * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules) * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules) * 1:34862 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules) * 1:34863 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules) * 1:34870 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules) * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ellell variant outbound connection (malware-cnc.rules) * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound connection (malware-cnc.rules) * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules) * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection (malware-cnc.rules) * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem variant outbound connection (malware-cnc.rules) * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules) * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules) * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules) * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules) * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules) * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection (malware-cnc.rules) * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules) * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules) * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules) * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules) * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound connection (malware-cnc.rules) * 1:44313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Totbrick variant outbound connection (malware-cnc.rules) * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules) * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules) * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup variant outbound connection (malware-cnc.rules) * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection (malware-cnc.rules) * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules) * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 3:45049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0493 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:45101 <-> DISABLED <-> PROTOCOL-SCADA vxworks rpc credential flavor integer overflow device crash attempt (protocol-scada.rules) * 1:45100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant outbound connection (malware-cnc.rules) * 1:45099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syscon variant inbound connection (malware-cnc.rules) * 1:45098 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant outbound connection (malware-cnc.rules) * 1:45097 <-> ENABLED <-> MALWARE-CNC Win.Downloader.SnatchLoader variant inbound connection (malware-cnc.rules) * 1:45096 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant inbound connection (malware-cnc.rules) * 1:45095 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Gibon variant outbound connection (malware-cnc.rules) * 1:45094 <-> DISABLED <-> SERVER-WEBAPP MediaWiki arbitrary file write attempt (server-webapp.rules) * 1:45093 <-> DISABLED <-> SERVER-WEBAPP Apache Archiva XML server side request forgery attempt (server-webapp.rules) * 1:45092 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection (malware-cnc.rules) * 1:45091 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection (malware-cnc.rules) * 1:45090 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection (malware-cnc.rules) * 1:45085 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules) * 1:45084 <-> DISABLED <-> SERVER-APACHE Apache Solr xmlparser external doctype or entity expansion attempt (server-apache.rules) * 1:45083 <-> DISABLED <-> SERVER-APACHE Apache Solr RunExecutableListener arbitrary command execution attempt (server-apache.rules) * 1:45082 <-> DISABLED <-> SERVER-WEBAPP Ruby on Rails log file manipulation attempt (server-webapp.rules) * 1:44870 <-> DISABLED <-> DELETED MzxoBYWaxvjLcsmkxZjK (deleted.rules) * 1:44869 <-> DISABLED <-> DELETED rZWXwyJ8bPnkrEyUfMbl (deleted.rules) * 1:44868 <-> DISABLED <-> DELETED ttP2cWhxHiaW4S7ZGfi6 (deleted.rules) * 1:44867 <-> DISABLED <-> DELETED qYHcy2wy7PRGLrt918ZR (deleted.rules) * 3:45105 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules) * 3:45106 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0504 attack attempt (file-pdf.rules) * 3:45102 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules) * 3:45103 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0505 attack attempt (file-pdf.rules) * 3:45088 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0502 attack attempt (server-webapp.rules) * 3:45089 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0501 attack attempt (server-other.rules) * 3:45086 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0494 attack attempt (server-webapp.rules) * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)
* 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules) * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected (malware-cnc.rules) * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection (malware-cnc.rules) * 1:44975 <-> ENABLED <-> MALWARE-CNC Php.Dropper.Mayhem variant outbound connection (malware-cnc.rules) * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules) * 1:44922 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules) * 1:44921 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager manageApplications.do SQL injection attempt (server-webapp.rules) * 1:44899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules) * 1:44898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44897 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44896 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner outbound connection (malware-cnc.rules) * 1:44895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected (malware-cnc.rules) * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules) * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word RTF memory corruption attempt (file-office.rules) * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules) * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel use after free vulnerability exploit attempt (file-office.rules) * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection (malware-cnc.rules) * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup variant outbound connection (malware-cnc.rules) * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules) * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection (malware-cnc.rules) * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection (malware-cnc.rules) * 1:44689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound connection (malware-cnc.rules) * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection (malware-cnc.rules) * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection (malware-cnc.rules) * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules) * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word docx object type confusion attempt (file-office.rules) * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound connection (malware-cnc.rules) * 1:44316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ellell variant outbound connection (malware-cnc.rules) * 1:44313 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Totbrick variant outbound connection (malware-cnc.rules) * 1:44212 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules) * 1:44211 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tarayt outbound connection (malware-cnc.rules) * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection (malware-cnc.rules) * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules) * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection (malware-cnc.rules) * 1:43457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eorezo variant outbound connection (malware-cnc.rules) * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg remote code execution attempt (file-office.rules) * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules) * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2016 use after free attempt (file-office.rules) * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules) * 1:43049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gasonen variant outbound connection (malware-cnc.rules) * 1:42997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules) * 1:42996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spesseo variant outbound connection (malware-cnc.rules) * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection (malware-cnc.rules) * 1:42929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Niramdat variant initial outbound connection (malware-cnc.rules) * 1:42926 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42925 <-> ENABLED <-> MALWARE-CNC Js.Keylogger.Scanbox outbound connection (malware-cnc.rules) * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection (malware-cnc.rules) * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection (malware-cnc.rules) * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules) * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection (malware-cnc.rules) * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection (malware-cnc.rules) * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules) * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection (malware-cnc.rules) * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules) * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word 2010 Sepx memory corruption attempt (file-office.rules) * 1:42452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Frethog variant outbound connection (malware-cnc.rules) * 1:42447 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Batlopma variant outbound connection (malware-cnc.rules) * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules) * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection (malware-cnc.rules) * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules) * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound connection (malware-cnc.rules) * 1:42348 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QQPass variant outbound connection (malware-cnc.rules) * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection (malware-cnc.rules) * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection (malware-cnc.rules) * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection (malware-cnc.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection (malware-cnc.rules) * 1:42083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downeks variant initial outbound connection (malware-cnc.rules) * 1:42080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:42079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent (malware-cnc.rules) * 1:42031 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42027 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42026 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42025 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42024 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42023 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42022 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:42021 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules) * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection (malware-cnc.rules) * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection (malware-cnc.rules) * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection (malware-cnc.rules) * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection (malware-cnc.rules) * 1:41337 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules) * 1:41336 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Sysch variant outbound connection (malware-cnc.rules) * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:41334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:41331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scudy outbound connection (malware-cnc.rules) * 1:41178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41174 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41173 <-> ENABLED <-> MALWARE-CNC Win.Trojan.August variant outbound connection (malware-cnc.rules) * 1:41141 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41140 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word Out-of-Bounds Write attempt (file-office.rules) * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules) * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules) * 1:40911 <-> ENABLED <-> MALWARE-CNC Win.Rootkit.Sednit variant outbound connection (malware-cnc.rules) * 1:40910 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40831 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection (malware-cnc.rules) * 1:40816 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40702 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules) * 1:40701 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word out of bounds memory read attempt (file-office.rules) * 1:40680 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules) * 1:40679 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds read attempt (file-office.rules) * 1:40559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.iSpy variant outbound connection (malware-cnc.rules) * 1:40548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redosdru variant outbound connection (malware-cnc.rules) * 1:40541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Satana ransomware outbound connection (malware-cnc.rules) * 1:40527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules) * 1:40369 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules) * 1:40368 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word RTF file parsing buffer overflow attempt (file-office.rules) * 1:40307 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules) * 1:40306 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document containing VBA project entry detected (file-office.rules) * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection (malware-cnc.rules) * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection (malware-cnc.rules) * 1:40282 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules) * 1:40281 <-> DISABLED <-> FILE-OFFICE Microsoft Office Wordpad font conversion buffer overflow attempt (file-office.rules) * 1:40252 <-> ENABLED <-> MALWARE-CNC Win.Perseus variant outbound connection (malware-cnc.rules) * 1:40067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit outbound connection (malware-cnc.rules) * 1:40058 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:39921 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules) * 1:39920 <-> DISABLED <-> MALWARE-CNC Neutrino outbound connection (malware-cnc.rules) * 1:39836 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules) * 1:39835 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed jpeg memory corruption attempt (file-office.rules) * 1:36497 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hangman.A outbound connection (malware-cnc.rules) * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35035 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Taleretzbj outbound connection (malware-cnc.rules) * 1:34998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bossabot outbound connection (malware-cnc.rules) * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection (malware-cnc.rules) * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection (malware-cnc.rules) * 1:34932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shindo outbound connection (malware-cnc.rules) * 1:34888 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules) * 1:34887 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sojax variant outbound connection (malware-cnc.rules) * 1:34871 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules) * 1:34870 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Logreaz variant outbound connection (malware-cnc.rules) * 1:34863 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules) * 1:34862 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection (malware-cnc.rules) * 1:34597 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules) * 1:34596 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Atrax variant outbound connection (malware-cnc.rules) * 1:33594 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules) * 1:32824 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection (malware-cnc.rules) * 1:32129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules) * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connection (malware-cnc.rules) * 1:31834 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbound connection (malware-cnc.rules) * 1:31262 <-> ENABLED <-> MALWARE-CNC Win.Worm.VBNA variant outbound connection (malware-cnc.rules) * 1:30259 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Strictor variant outbound connection (malware-cnc.rules) * 1:30251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mumawow outbound connection (malware-cnc.rules) * 1:29955 <-> DISABLED <-> SERVER-WEBAPP WordPress Quick-Post Widget GET request using Body cross-site scripting (server-webapp.rules) * 1:29895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection (malware-cnc.rules) * 1:28411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules) * 1:28410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection (malware-cnc.rules) * 3:45049 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0493 attack attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
