Talos has added and modified multiple rules in the file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45262 <-> DISABLED <-> SERVER-WEBAPP Google App Engine open redirect attempt (server-webapp.rules) * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules)
* 1:31291 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:16911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ucsp0416.exe?t= (malware-cnc.rules) * 1:16912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - net/cfg2.bin (malware-cnc.rules) * 1:16913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count_log/log/boot.php?p= (malware-cnc.rules) * 1:16914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - .bin?ucsp (malware-cnc.rules) * 1:16915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF (malware-cnc.rules) * 1:16916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /jarun/jezerce (malware-cnc.rules) * 1:16917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ekaterina/velika (malware-cnc.rules) * 1:16918 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ultimate/fight (malware-cnc.rules) * 1:16919 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /tmp/pm.exe?t= (malware-cnc.rules) * 1:16920 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /DownLoadFile/BaePo/ver (malware-cnc.rules) * 1:16921 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /s1/launcher/update/Update/data/ (malware-cnc.rules) * 1:16922 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= (malware-cnc.rules) * 1:16923 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /search.php?username=coolweb07&keywords= (malware-cnc.rules) * 1:16924 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /inst.php?fff= (malware-cnc.rules) * 1:16925 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /message.php?subid= (malware-cnc.rules) * 1:16926 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= (malware-cnc.rules) * 1:16927 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - MGWEB.php?c=TestUrl (malware-cnc.rules) * 1:16928 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz (malware-cnc.rules) * 1:16929 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - gate.php?guid= (malware-cnc.rules) * 1:16930 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count.asp?mac= (malware-cnc.rules) * 1:16931 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - feedbigfoot.php?m= (malware-cnc.rules) * 1:16932 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /qqnongchang/qqkj. (malware-cnc.rules) * 1:16933 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /root/9 frt.rar (malware-cnc.rules) * 1:17898 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (malware-cnc.rules) * 1:17899 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /reques0.asp?kind=006&mac= (malware-cnc.rules) * 1:17900 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /basic/cn3c2/c.*dll (malware-cnc.rules) * 1:17901 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /mybackup21.rar (malware-cnc.rules) * 1:17902 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /?getexe=loader.exe (malware-cnc.rules) * 1:17903 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - stid= (malware-cnc.rules) * 1:17904 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /tongji.js (malware-cnc.rules) * 1:17905 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php (malware-cnc.rules) * 1:17906 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 2x/.*php (malware-cnc.rules) * 1:17907 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download (malware-cnc.rules) * 1:17908 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/crypt_22.exe (malware-cnc.rules) * 1:17909 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/css/1.exe (malware-cnc.rules) * 1:17910 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /7xdown.exe (malware-cnc.rules) * 1:17911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /winhelper.exe (malware-cnc.rules) * 1:17912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /upopwin/count.asp?mac= (malware-cnc.rules) * 1:17913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ok.exe (malware-cnc.rules) * 1:17914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /LjBin/Bin.Dll (malware-cnc.rules) * 1:17915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /1001ns/cfg3n.bin (malware-cnc.rules) * 1:17916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /dh/stats.bin (malware-cnc.rules) * 1:17917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /zeus/config.bin (malware-cnc.rules) * 1:19256 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - greenherbalteagirlholdingcup (malware-cnc.rules) * 1:19493 <-> ENABLED <-> MALWARE-CNC URI request for known malicious uri config.ini on 3322.org domain (malware-cnc.rules) * 1:19595 <-> DISABLED <-> MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card (malware-other.rules) * 1:19622 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - pte.aspx?ver= (malware-cnc.rules) * 1:19623 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - vic.aspx?ver= (malware-cnc.rules) * 1:19625 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - .sys.php?getexe= (malware-cnc.rules) * 1:19626 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /setup_b.asp?prj= (malware-cnc.rules) * 1:19627 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (malware-cnc.rules) * 1:19628 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /1cup/script.php (malware-cnc.rules) * 1:19631 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - AnSSip= (malware-cnc.rules) * 1:27981 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/tasks.php?uid= (malware-cnc.rules) * 1:19632 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/adduser.php?uid= (malware-cnc.rules) * 1:19633 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/tasks.php?uid= (malware-cnc.rules) * 1:19635 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /app/?prj= (malware-cnc.rules) * 1:19636 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /blog/images/3521.jpg?v (malware-cnc.rules) * 1:19637 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /install.asp?mac= (malware-cnc.rules) * 1:19638 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /kx4.txt (malware-cnc.rules) * 1:19778 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /games/java_trust.php?f= (malware-cnc.rules) * 1:19882 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /160.rar - Win32/Morto.A (malware-cnc.rules) * 1:19913 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - optima/index.php (malware-cnc.rules) * 1:21255 <-> ENABLED <-> MALWARE-OTHER known malicious FTP login banner - 0wns j0 (malware-other.rules) * 1:21256 <-> ENABLED <-> MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting (malware-other.rules) * 1:21257 <-> DISABLED <-> MALWARE-CNC URI - known scanner tool muieblackcat (malware-cnc.rules) * 1:23473 <-> ENABLED <-> MALWARE-CNC URI request for runforestrun - JS.Runfore (malware-cnc.rules) * 1:24018 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - hello.icon.pk (malware-cnc.rules) * 1:24019 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ok.XXX4.net/meeting/hi.exe (malware-cnc.rules) * 1:25018 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:25394 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/th (malware-cnc.rules) * 1:25395 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/sk (malware-cnc.rules) * 1:31992 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31993 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31994 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31995 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31996 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31997 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31998 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31999 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32000 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:33513 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - XAgent - Operation Pawn Storm (malware-cnc.rules) * 1:34291 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string crackim (malware-cnc.rules) * 1:34834 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkcpn (malware-cnc.rules) * 1:36131 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyIE 3.01 (malware-cnc.rules) * 1:41083 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit dns query (malware-cnc.rules) * 1:42841 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit tcp dns query (malware-cnc.rules) * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules) * 1:30320 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:29999 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 9.0 in version 10 format (malware-cnc.rules) * 1:31292 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31422 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Cactus (malware-cnc.rules) * 1:25396 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/dllhost/ac (malware-cnc.rules) * 1:25397 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/check (malware-cnc.rules) * 1:31543 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (malware-cnc.rules) * 1:31948 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyProgramm - Win.Trojan.Rukypee (malware-cnc.rules) * 1:31688 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (malware-cnc.rules) * 1:25398 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/flush (malware-cnc.rules) * 1:25399 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/wcx (malware-cnc.rules) * 1:31949 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Skypee - Win.Trojan.Rukypee (malware-cnc.rules) * 1:31947 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - HttpCall - Win.Trojan.Rukypee (malware-cnc.rules) * 1:25400 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/cab (malware-cnc.rules) * 1:27737 <-> DISABLED <-> MALWARE-CNC DNS suspicious .c0m.li dns query (malware-cnc.rules) * 1:27980 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/adduser.php?uid= (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45262 <-> DISABLED <-> SERVER-WEBAPP Google App Engine open redirect attempt (server-webapp.rules) * 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules)
* 1:31949 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Skypee - Win.Trojan.Rukypee (malware-cnc.rules) * 1:31947 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - HttpCall - Win.Trojan.Rukypee (malware-cnc.rules) * 1:27981 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/tasks.php?uid= (malware-cnc.rules) * 1:27737 <-> DISABLED <-> MALWARE-CNC DNS suspicious .c0m.li dns query (malware-cnc.rules) * 1:27980 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/adduser.php?uid= (malware-cnc.rules) * 1:25399 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/wcx (malware-cnc.rules) * 1:25400 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/cab (malware-cnc.rules) * 1:25397 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/check (malware-cnc.rules) * 1:25398 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/flush (malware-cnc.rules) * 1:25395 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/sk (malware-cnc.rules) * 1:25396 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/dllhost/ac (malware-cnc.rules) * 1:25394 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/th (malware-cnc.rules) * 1:24019 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ok.XXX4.net/meeting/hi.exe (malware-cnc.rules) * 1:25018 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:23473 <-> ENABLED <-> MALWARE-CNC URI request for runforestrun - JS.Runfore (malware-cnc.rules) * 1:24018 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - hello.icon.pk (malware-cnc.rules) * 1:21256 <-> ENABLED <-> MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting (malware-other.rules) * 1:21257 <-> DISABLED <-> MALWARE-CNC URI - known scanner tool muieblackcat (malware-cnc.rules) * 1:21255 <-> ENABLED <-> MALWARE-OTHER known malicious FTP login banner - 0wns j0 (malware-other.rules) * 1:19882 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /160.rar - Win32/Morto.A (malware-cnc.rules) * 1:19913 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - optima/index.php (malware-cnc.rules) * 1:19778 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /games/java_trust.php?f= (malware-cnc.rules) * 1:19637 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /install.asp?mac= (malware-cnc.rules) * 1:19638 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /kx4.txt (malware-cnc.rules) * 1:19636 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /blog/images/3521.jpg?v (malware-cnc.rules) * 1:19633 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/tasks.php?uid= (malware-cnc.rules) * 1:19635 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /app/?prj= (malware-cnc.rules) * 1:19631 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - AnSSip= (malware-cnc.rules) * 1:19632 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/adduser.php?uid= (malware-cnc.rules) * 1:19628 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /1cup/script.php (malware-cnc.rules) * 1:19626 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /setup_b.asp?prj= (malware-cnc.rules) * 1:19627 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (malware-cnc.rules) * 1:19623 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - vic.aspx?ver= (malware-cnc.rules) * 1:19625 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - .sys.php?getexe= (malware-cnc.rules) * 1:19595 <-> DISABLED <-> MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card (malware-other.rules) * 1:19622 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - pte.aspx?ver= (malware-cnc.rules) * 1:19493 <-> ENABLED <-> MALWARE-CNC URI request for known malicious uri config.ini on 3322.org domain (malware-cnc.rules) * 1:19256 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - greenherbalteagirlholdingcup (malware-cnc.rules) * 1:17916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /dh/stats.bin (malware-cnc.rules) * 1:17917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /zeus/config.bin (malware-cnc.rules) * 1:17915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /1001ns/cfg3n.bin (malware-cnc.rules) * 1:17914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /LjBin/Bin.Dll (malware-cnc.rules) * 1:17913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ok.exe (malware-cnc.rules) * 1:17911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /winhelper.exe (malware-cnc.rules) * 1:17912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /upopwin/count.asp?mac= (malware-cnc.rules) * 1:17909 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/css/1.exe (malware-cnc.rules) * 1:17910 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /7xdown.exe (malware-cnc.rules) * 1:17907 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download (malware-cnc.rules) * 1:17908 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/crypt_22.exe (malware-cnc.rules) * 1:17905 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php (malware-cnc.rules) * 1:17906 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 2x/.*php (malware-cnc.rules) * 1:17904 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /tongji.js (malware-cnc.rules) * 1:17902 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /?getexe=loader.exe (malware-cnc.rules) * 1:17903 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - stid= (malware-cnc.rules) * 1:17900 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /basic/cn3c2/c.*dll (malware-cnc.rules) * 1:17901 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /mybackup21.rar (malware-cnc.rules) * 1:17898 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (malware-cnc.rules) * 1:17899 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /reques0.asp?kind=006&mac= (malware-cnc.rules) * 1:16932 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /qqnongchang/qqkj. (malware-cnc.rules) * 1:16933 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /root/9 frt.rar (malware-cnc.rules) * 1:16930 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count.asp?mac= (malware-cnc.rules) * 1:16931 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - feedbigfoot.php?m= (malware-cnc.rules) * 1:16929 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - gate.php?guid= (malware-cnc.rules) * 1:16927 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - MGWEB.php?c=TestUrl (malware-cnc.rules) * 1:16928 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz (malware-cnc.rules) * 1:16925 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /message.php?subid= (malware-cnc.rules) * 1:16926 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= (malware-cnc.rules) * 1:16923 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /search.php?username=coolweb07&keywords= (malware-cnc.rules) * 1:16924 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /inst.php?fff= (malware-cnc.rules) * 1:16922 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= (malware-cnc.rules) * 1:16920 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /DownLoadFile/BaePo/ver (malware-cnc.rules) * 1:16921 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /s1/launcher/update/Update/data/ (malware-cnc.rules) * 1:16918 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ultimate/fight (malware-cnc.rules) * 1:16919 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /tmp/pm.exe?t= (malware-cnc.rules) * 1:16917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ekaterina/velika (malware-cnc.rules) * 1:16915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF (malware-cnc.rules) * 1:16916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /jarun/jezerce (malware-cnc.rules) * 1:16913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count_log/log/boot.php?p= (malware-cnc.rules) * 1:16914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - .bin?ucsp (malware-cnc.rules) * 1:16911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ucsp0416.exe?t= (malware-cnc.rules) * 1:16912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - net/cfg2.bin (malware-cnc.rules) * 1:31992 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31993 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31994 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31995 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31996 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31997 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31998 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31999 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32000 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:33513 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - XAgent - Operation Pawn Storm (malware-cnc.rules) * 1:34291 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string crackim (malware-cnc.rules) * 1:34834 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkcpn (malware-cnc.rules) * 1:36131 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyIE 3.01 (malware-cnc.rules) * 1:41083 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit dns query (malware-cnc.rules) * 1:42841 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit tcp dns query (malware-cnc.rules) * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules) * 1:29999 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 9.0 in version 10 format (malware-cnc.rules) * 1:31292 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:31422 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Cactus (malware-cnc.rules) * 1:30320 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:31688 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (malware-cnc.rules) * 1:31543 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (malware-cnc.rules) * 1:31948 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyProgramm - Win.Trojan.Rukypee (malware-cnc.rules) * 1:31291 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45261 <-> DISABLED <-> SERVER-WEBAPP Vivotek IP Cameras remote stack buffer overflow attempt (server-webapp.rules) * 1:45262 <-> DISABLED <-> SERVER-WEBAPP Google App Engine open redirect attempt (server-webapp.rules)
* 1:16911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ucsp0416.exe?t= (malware-cnc.rules) * 1:16912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - net/cfg2.bin (malware-cnc.rules) * 1:16913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count_log/log/boot.php?p= (malware-cnc.rules) * 1:16914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - .bin?ucsp (malware-cnc.rules) * 1:16915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF (malware-cnc.rules) * 1:16916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /jarun/jezerce (malware-cnc.rules) * 1:16917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ekaterina/velika (malware-cnc.rules) * 1:16918 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ultimate/fight (malware-cnc.rules) * 1:16919 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /tmp/pm.exe?t= (malware-cnc.rules) * 1:16920 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /DownLoadFile/BaePo/ver (malware-cnc.rules) * 1:16921 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /s1/launcher/update/Update/data/ (malware-cnc.rules) * 1:16922 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID= (malware-cnc.rules) * 1:16923 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /search.php?username=coolweb07&keywords= (malware-cnc.rules) * 1:16924 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /inst.php?fff= (malware-cnc.rules) * 1:16925 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /message.php?subid= (malware-cnc.rules) * 1:16926 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC= (malware-cnc.rules) * 1:16927 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - MGWEB.php?c=TestUrl (malware-cnc.rules) * 1:16928 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz (malware-cnc.rules) * 1:16929 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - gate.php?guid= (malware-cnc.rules) * 1:16930 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - count.asp?mac= (malware-cnc.rules) * 1:16931 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - feedbigfoot.php?m= (malware-cnc.rules) * 1:16932 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /qqnongchang/qqkj. (malware-cnc.rules) * 1:16933 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /root/9 frt.rar (malware-cnc.rules) * 1:17898 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /get2.php?c=VTOXUGUI&d= (malware-cnc.rules) * 1:17899 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /reques0.asp?kind=006&mac= (malware-cnc.rules) * 1:17900 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /basic/cn3c2/c.*dll (malware-cnc.rules) * 1:17901 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /mybackup21.rar (malware-cnc.rules) * 1:17902 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /?getexe=loader.exe (malware-cnc.rules) * 1:17903 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - stid= (malware-cnc.rules) * 1:17904 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /tongji.js (malware-cnc.rules) * 1:17905 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php (malware-cnc.rules) * 1:17906 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - 2x/.*php (malware-cnc.rules) * 1:17907 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download (malware-cnc.rules) * 1:17908 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/crypt_22.exe (malware-cnc.rules) * 1:17909 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /images/css/1.exe (malware-cnc.rules) * 1:17910 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /7xdown.exe (malware-cnc.rules) * 1:17911 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /winhelper.exe (malware-cnc.rules) * 1:17912 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /upopwin/count.asp?mac= (malware-cnc.rules) * 1:17913 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /ok.exe (malware-cnc.rules) * 1:17914 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /LjBin/Bin.Dll (malware-cnc.rules) * 1:17915 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /1001ns/cfg3n.bin (malware-cnc.rules) * 1:17916 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /dh/stats.bin (malware-cnc.rules) * 1:17917 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - /zeus/config.bin (malware-cnc.rules) * 1:19256 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - greenherbalteagirlholdingcup (malware-cnc.rules) * 1:19493 <-> ENABLED <-> MALWARE-CNC URI request for known malicious uri config.ini on 3322.org domain (malware-cnc.rules) * 1:19595 <-> DISABLED <-> MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card (malware-other.rules) * 1:19622 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - pte.aspx?ver= (malware-cnc.rules) * 1:19623 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - vic.aspx?ver= (malware-cnc.rules) * 1:19625 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - .sys.php?getexe= (malware-cnc.rules) * 1:19626 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /setup_b.asp?prj= (malware-cnc.rules) * 1:19627 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /r_autoidcnt.asp?mer_seq= (malware-cnc.rules) * 1:19628 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /1cup/script.php (malware-cnc.rules) * 1:19631 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - AnSSip= (malware-cnc.rules) * 1:19632 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/adduser.php?uid= (malware-cnc.rules) * 1:19633 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /VertexNet/tasks.php?uid= (malware-cnc.rules) * 1:19635 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /app/?prj= (malware-cnc.rules) * 1:19636 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /blog/images/3521.jpg?v (malware-cnc.rules) * 1:19637 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /install.asp?mac= (malware-cnc.rules) * 1:19638 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /kx4.txt (malware-cnc.rules) * 1:19778 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /games/java_trust.php?f= (malware-cnc.rules) * 1:19882 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /160.rar - Win32/Morto.A (malware-cnc.rules) * 1:19913 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - optima/index.php (malware-cnc.rules) * 1:21255 <-> ENABLED <-> MALWARE-OTHER known malicious FTP login banner - 0wns j0 (malware-other.rules) * 1:21256 <-> ENABLED <-> MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting (malware-other.rules) * 1:21257 <-> DISABLED <-> MALWARE-CNC URI - known scanner tool muieblackcat (malware-cnc.rules) * 1:23473 <-> ENABLED <-> MALWARE-CNC URI request for runforestrun - JS.Runfore (malware-cnc.rules) * 1:24018 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - hello.icon.pk (malware-cnc.rules) * 1:24019 <-> DISABLED <-> MALWARE-CNC URI request for known malicious URI - ok.XXX4.net/meeting/hi.exe (malware-cnc.rules) * 1:25018 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:25394 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/th (malware-cnc.rules) * 1:25395 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/nt/sk (malware-cnc.rules) * 1:25396 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/dllhost/ac (malware-cnc.rules) * 1:25397 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/check (malware-cnc.rules) * 1:25398 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/ms/flush (malware-cnc.rules) * 1:25399 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/wcx (malware-cnc.rules) * 1:25400 <-> ENABLED <-> MALWARE-CNC URI request for /cgi-bin/win/cab (malware-cnc.rules) * 1:27737 <-> DISABLED <-> MALWARE-CNC DNS suspicious .c0m.li dns query (malware-cnc.rules) * 1:27980 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/adduser.php?uid= (malware-cnc.rules) * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules) * 1:42841 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit tcp dns query (malware-cnc.rules) * 1:41083 <-> ENABLED <-> MALWARE-CNC DNS suspicious .bit dns query (malware-cnc.rules) * 1:36131 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyIE 3.01 (malware-cnc.rules) * 1:34834 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkcpn (malware-cnc.rules) * 1:34291 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string crackim (malware-cnc.rules) * 1:33513 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - XAgent - Operation Pawn Storm (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:32001 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:32000 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31999 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31998 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31997 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31996 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31995 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31994 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31993 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31992 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound (malware-cnc.rules) * 1:31949 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Skypee - Win.Trojan.Rukypee (malware-cnc.rules) * 1:31948 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MyProgramm - Win.Trojan.Rukypee (malware-cnc.rules) * 1:31947 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - HttpCall - Win.Trojan.Rukypee (malware-cnc.rules) * 1:29999 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 9.0 in version 10 format (malware-cnc.rules) * 1:31688 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor (malware-cnc.rules) * 1:31422 <-> DISABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Cactus (malware-cnc.rules) * 1:31543 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface (malware-cnc.rules) * 1:31291 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules) * 1:30320 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:27981 <-> ENABLED <-> MALWARE-CNC URI request for known malicious URI - /botnet/tasks.php?uid= (malware-cnc.rules) * 1:31292 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DynamicAnnotStore exploit attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
