Talos has added and modified multiple rules in the file-image, file-office, file-other, malware-cnc, malware-other, netbios, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules) * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules) * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules) * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules) * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules) * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules) * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules) * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules) * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules) * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules) * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules) * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules) * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules) * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
* 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules) * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules) * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules) * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules) * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules) * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules) * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules) * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules) * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules) * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules) * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules) * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules) * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules) * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules) * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
* 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules) * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (snort3-malware-cnc.rules) * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (snort3-malware-other.rules) * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (snort3-malware-other.rules) * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (snort3-malware-cnc.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (snort3-malware-cnc.rules) * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (snort3-server-webapp.rules) * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (snort3-server-webapp.rules) * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (snort3-file-other.rules) * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (snort3-server-webapp.rules) * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (snort3-server-webapp.rules) * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (snort3-malware-cnc.rules) * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (snort3-malware-cnc.rules) * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules) * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules) * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (snort3-server-webapp.rules) * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (snort3-server-apache.rules) * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (snort3-server-other.rules) * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (snort3-malware-cnc.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (snort3-malware-cnc.rules) * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (snort3-file-other.rules) * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (snort3-netbios.rules) * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (snort3-server-webapp.rules) * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (snort3-file-other.rules) * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (snort3-file-image.rules) * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (snort3-server-webapp.rules) * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (snort3-server-webapp.rules) * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (snort3-file-image.rules) * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (snort3-file-other.rules) * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (snort3-file-other.rules) * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (snort3-file-other.rules) * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (snort3-server-webapp.rules) * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (snort3-server-webapp.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (snort3-malware-cnc.rules) * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (snort3-malware-cnc.rules) * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (snort3-malware-cnc.rules) * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (snort3-server-webapp.rules) * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (snort3-malware-cnc.rules)
* 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (snort3-server-webapp.rules) * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (snort3-file-office.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (snort3-server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (snort3-server-webapp.rules) * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (snort3-server-apache.rules) * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules) * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules) * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules) * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules) * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules) * 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules) * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules) * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules) * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules) * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules) * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules) * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules) * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules) * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules) * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
* 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules) * 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules) * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46072 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46071 <-> ENABLED <-> SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt (server-apache.rules) * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltraion outbound request (malware-cnc.rules) * 1:46069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module request (malware-cnc.rules) * 1:46068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty module download request (malware-cnc.rules) * 1:46067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection (malware-cnc.rules) * 1:46066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection (malware-cnc.rules) * 1:46065 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sigma outbound connection (malware-cnc.rules) * 1:46064 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46063 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46062 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Membership extension SQL injection attempt (server-webapp.rules) * 1:46061 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary pointer dereference attempt (server-other.rules) * 1:46054 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46053 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF malformed Object record out-of-bounds access attempt (file-other.rules) * 1:46052 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT (malware-cnc.rules) * 1:46051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt (malware-cnc.rules) * 1:46050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt (malware-cnc.rules) * 1:46049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fosniw variant connection attempt (malware-cnc.rules) * 1:46048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gen variant outbound communication (malware-cnc.rules) * 1:46089 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46088 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46087 <-> ENABLED <-> SERVER-WEBAPP Joomla JEXTN Reverse Auction extension SQL injection attempt (server-webapp.rules) * 1:46086 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46085 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46084 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46083 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt (server-webapp.rules) * 1:46082 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt (server-webapp.rules) * 1:46081 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46080 <-> DISABLED <-> SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt (server-webapp.rules) * 1:46078 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46077 <-> DISABLED <-> FILE-IMAGE Gifsicle gifread double-free attempt (file-image.rules) * 1:46076 <-> DISABLED <-> NETBIOS MikroTik RouterOS buffer overflow attempt (netbios.rules) * 1:46075 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46074 <-> DISABLED <-> FILE-OTHER Microsoft Windows Remote Assistance external entity remote file download attempt (file-other.rules) * 1:46073 <-> DISABLED <-> FILE-OTHER Python lib wave.py wav zero channel denial of service attempt (file-other.rules) * 1:46092 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 1:46091 <-> DISABLED <-> MALWARE-OTHER VBscript downloader detected (malware-other.rules) * 3:46055 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46056 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46058 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46059 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0545 attack attempt (file-other.rules) * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules) * 3:46090 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0549 attack attempt (server-webapp.rules) * 3:46093 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules) * 3:46094 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0550 attack attempt (file-image.rules)
* 1:26279 <-> DISABLED <-> SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt (server-webapp.rules) * 1:26626 <-> DISABLED <-> FILE-OFFICE XML parameter entity reference local file disclosure attempt (file-office.rules) * 1:29830 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 1:29831 <-> ENABLED <-> SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt (server-webapp.rules) * 1:41818 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules) * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
