Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-office, malware-cnc, netbios, os-windows, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules) * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules) * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules) * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules) * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules) * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules) * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules) * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules) * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules) * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules) * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules) * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string (malware-cnc.rules) * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules) * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules) * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules)
* 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules) * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules) * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules) * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules) * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules) * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules) * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules) * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules) * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules) * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules) * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules) * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules) * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules) * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules) * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules) * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules) * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string (malware-cnc.rules) * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
* 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules) * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules) * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (snort3-malware-cnc.rules) * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (snort3-malware-cnc.rules) * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (snort3-browser-other.rules) * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (snort3-browser-other.rules) * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (snort3-browser-ie.rules) * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (snort3-browser-ie.rules) * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (snort3-malware-cnc.rules) * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (snort3-malware-cnc.rules) * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (snort3-server-other.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules) * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (snort3-server-webapp.rules) * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (snort3-server-webapp.rules) * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (snort3-server-webapp.rules) * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (snort3-netbios.rules) * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (snort3-malware-cnc.rules) * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (snort3-malware-cnc.rules) * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (snort3-server-webapp.rules) * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (snort3-os-windows.rules) * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (snort3-pua-other.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (snort3-pua-other.rules) * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (snort3-pua-other.rules) * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (snort3-pua-other.rules) * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (snort3-pua-other.rules) * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (snort3-pua-other.rules) * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (snort3-malware-cnc.rules) * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (snort3-server-other.rules) * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (snort3-server-other.rules) * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (snort3-os-windows.rules) * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (snort3-os-windows.rules) * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (snort3-malware-cnc.rules) * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (snort3-malware-cnc.rules) * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (snort3-malware-cnc.rules) * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules) * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules) * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules) * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (snort3-server-apache.rules) * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules) * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules) * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules) * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules) * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (snort3-malware-cnc.rules) * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (snort3-malware-cnc.rules) * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string (snort3-malware-cnc.rules)
* 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (snort3-file-office.rules) * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (snort3-server-other.rules) * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (snort3-file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules) * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules) * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules) * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules) * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules) * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules) * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules) * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules) * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules) * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules) * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules) * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules) * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules) * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string (malware-cnc.rules)
* 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules) * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules) * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules) * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules) * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules) * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules) * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules) * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules) * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules) * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules) * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules) * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules) * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules) * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules) * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules) * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules) * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules) * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules) * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules) * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules) * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules) * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string (malware-cnc.rules) * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules) * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules) * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules) * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules) * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
* 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules) * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules) * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
