Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-flash, file-image, file-java, file-multimedia, file-other, indicator-compromise, malware-cnc, policy-other, server-apache, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45356 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules) * 1:45348 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules) * 1:45308 <-> DISABLED <-> SERVER-WEBAPP Axis Communications CGI Parser information disclosure attempt (server-webapp.rules) * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45350 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules) * 1:45354 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules) * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execusion attempt (server-other.rules) * 1:45268 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45346 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules) * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45349 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules) * 1:45347 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules) * 1:45353 <-> DISABLED <-> SERVER-APACHE Sling framework information disclosure attempt (server-apache.rules) * 1:45351 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules) * 1:45355 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules) * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:45303 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:45304 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:45305 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules) * 1:45306 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules) * 1:45307 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules) * 1:45343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45309 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules) * 1:45310 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules) * 1:45311 <-> DISABLED <-> POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change (policy-other.rules) * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45314 <-> ENABLED <-> SERVER-WEBAPP Beijing Hanbang Hanbanggaoke IP camera admin password change attempt (server-webapp.rules) * 1:45315 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules) * 1:45316 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules) * 1:45317 <-> DISABLED <-> SERVER-WEBAPP Chipmunk Guestbook cross site scripting attempt (server-webapp.rules) * 1:45318 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules) * 1:45319 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules) * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules) * 1:45342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45323 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR email configuration download attempt (server-webapp.rules) * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules) * 1:45325 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR DDNS configuration download attempt (server-webapp.rules) * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules) * 1:45327 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR NAS configuration download attempt (server-webapp.rules) * 1:45328 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR admin password reset attempt (server-webapp.rules) * 1:45265 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45267 <-> DISABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules) * 1:45336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45266 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules) * 1:45330 <-> DISABLED <-> SERVER-WEBAPP raSMP User-Agent XSS injection attempt (server-webapp.rules) * 1:45340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45333 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45264 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules) * 1:45344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45263 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules)
* 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:45260 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton ICS malware upload attempt (malware-cnc.rules) * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules) * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules) * 1:28208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules) * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules) * 1:27944 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules) * 1:18970 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules) * 1:25778 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG use after free attempt (browser-ie.rules) * 1:27943 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules) * 1:17117 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-multimedia.rules) * 1:28207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45266 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45354 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules) * 1:45355 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules) * 1:45353 <-> DISABLED <-> SERVER-APACHE Sling framework information disclosure attempt (server-apache.rules) * 1:45351 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules) * 1:45349 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules) * 1:45350 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules) * 1:45347 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules) * 1:45348 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules) * 1:45346 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules) * 1:45345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45268 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execusion attempt (server-other.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:45303 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:45304 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:45305 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules) * 1:45306 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules) * 1:45307 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules) * 1:45308 <-> DISABLED <-> SERVER-WEBAPP Axis Communications CGI Parser information disclosure attempt (server-webapp.rules) * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45309 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules) * 1:45310 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules) * 1:45341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45311 <-> DISABLED <-> POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change (policy-other.rules) * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45314 <-> ENABLED <-> SERVER-WEBAPP Beijing Hanbang Hanbanggaoke IP camera admin password change attempt (server-webapp.rules) * 1:45315 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules) * 1:45316 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules) * 1:45317 <-> DISABLED <-> SERVER-WEBAPP Chipmunk Guestbook cross site scripting attempt (server-webapp.rules) * 1:45318 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules) * 1:45319 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules) * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules) * 1:45323 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR email configuration download attempt (server-webapp.rules) * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules) * 1:45325 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR DDNS configuration download attempt (server-webapp.rules) * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules) * 1:45327 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR NAS configuration download attempt (server-webapp.rules) * 1:45328 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR admin password reset attempt (server-webapp.rules) * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules) * 1:45330 <-> DISABLED <-> SERVER-WEBAPP raSMP User-Agent XSS injection attempt (server-webapp.rules) * 1:45331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45333 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45356 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules) * 1:45343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45264 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules) * 1:45335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45267 <-> DISABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules) * 1:45263 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules) * 1:45337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45265 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
* 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:45260 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton ICS malware upload attempt (malware-cnc.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules) * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules) * 1:28208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules) * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules) * 1:27944 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules) * 1:28207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules) * 1:27943 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules) * 1:17117 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-multimedia.rules) * 1:18970 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules) * 1:25778 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG use after free attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45332 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45333 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules) * 1:45330 <-> DISABLED <-> SERVER-WEBAPP raSMP User-Agent XSS injection attempt (server-webapp.rules) * 1:45327 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR NAS configuration download attempt (server-webapp.rules) * 1:45328 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR admin password reset attempt (server-webapp.rules) * 1:45325 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR DDNS configuration download attempt (server-webapp.rules) * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules) * 1:45323 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR email configuration download attempt (server-webapp.rules) * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules) * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules) * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules) * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules) * 1:45318 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules) * 1:45319 <-> DISABLED <-> SERVER-WEBAPP Citrix NetScaler SD-WAN command injection attempt (server-webapp.rules) * 1:45316 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules) * 1:45317 <-> DISABLED <-> SERVER-WEBAPP Chipmunk Guestbook cross site scripting attempt (server-webapp.rules) * 1:45314 <-> ENABLED <-> SERVER-WEBAPP Beijing Hanbang Hanbanggaoke IP camera admin password change attempt (server-webapp.rules) * 1:45315 <-> DISABLED <-> FILE-OTHER Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-other.rules) * 1:45313 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45311 <-> DISABLED <-> POLICY-OTHER Vicon Security and Infinova IP cameras IP filer state change (policy-other.rules) * 1:45312 <-> DISABLED <-> SERVER-WEBAPP Vicon Security and Infinova filterIp command injection attempt (server-webapp.rules) * 1:45309 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules) * 1:45310 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter Matrix use after free attempt (file-flash.rules) * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:45300 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45301 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45298 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45299 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45296 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45297 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45294 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45295 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45292 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45293 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45291 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45290 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45289 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45287 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45288 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45285 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45286 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45283 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45284 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45281 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45282 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45279 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45280 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45277 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45278 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45275 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45276 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45266 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45264 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules) * 1:45265 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45267 <-> DISABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules) * 1:45268 <-> DISABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execusion attempt (server-other.rules) * 1:45270 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45271 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45272 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45273 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45274 <-> DISABLED <-> BROWSER-PLUGINS UCanCode ActiveX clsid access attempt (browser-plugins.rules) * 1:45303 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules) * 1:45304 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:45305 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules) * 1:45306 <-> DISABLED <-> FILE-IMAGE Qt library BMP image parser heap overflow exploit attempt (file-image.rules) * 1:45307 <-> DISABLED <-> SERVER-APACHE Apache SSI error page cross-site scripting attempt (server-apache.rules) * 1:45308 <-> DISABLED <-> SERVER-WEBAPP Axis Communications CGI Parser information disclosure attempt (server-webapp.rules) * 1:45356 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules) * 1:45263 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple server side template injection attempt (server-webapp.rules) * 1:45355 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules) * 1:45354 <-> DISABLED <-> BROWSER-OTHER Apple Safari javascript mutlibyte character escaping denial of service attempt (browser-other.rules) * 1:45353 <-> DISABLED <-> SERVER-APACHE Sling framework information disclosure attempt (server-apache.rules) * 1:45352 <-> ENABLED <-> MALWARE-CNC PowerShell Empire HTTP listener response (malware-cnc.rules) * 1:45351 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules) * 1:45350 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules) * 1:45349 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithPrivilege method call attempt (file-java.rules) * 1:45348 <-> DISABLED <-> FILE-JAVA IBM Java invokeWithClassLoaders method call attempt (file-java.rules) * 1:45347 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules) * 1:45346 <-> DISABLED <-> FILE-JAVA Oracle Java strlen denial of service attempt (file-java.rules) * 1:45345 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45344 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45343 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45342 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45341 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45340 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
* 1:44564 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:45260 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Triton Triton ICS malware upload attempt (malware-cnc.rules) * 1:44562 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:44563 <-> DISABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:44561 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules) * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:36611 <-> DISABLED <-> INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate (indicator-compromise.rules) * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire variant outbound connection (malware-cnc.rules) * 1:32896 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules) * 1:32897 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules) * 1:32895 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX function call access attempt (browser-plugins.rules) * 1:28208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules) * 1:32894 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone ActiveX clsid access attempt (browser-plugins.rules) * 1:27944 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules) * 1:28207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer swapNode memory corruption attempt (browser-ie.rules) * 1:25778 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG use after free attempt (browser-ie.rules) * 1:27943 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onlosecapture memory corruption attempt (browser-ie.rules) * 1:17117 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows MPEG Layer-3 audio heap corruption attempt (file-multimedia.rules) * 1:18970 <-> DISABLED <-> FILE-FLASH Adobe Flash Player null pointer dereference attempt (file-flash.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
