Talos has added and modified multiple rules in the file-flash, file-multimedia, file-office, file-pdf, malware-cnc, protocol-tftp, pua-adware, pua-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules) * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules) * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules) * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules) * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules) * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules) * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules) * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
* 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules) * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules) * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules) * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules) * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules) * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules) * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules) * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
* 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules) * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (snort3-file-flash.rules) * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (snort3-protocol-tftp.rules) * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (snort3-file-office.rules) * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (snort3-server-webapp.rules) * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (snort3-file-pdf.rules) * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (snort3-server-other.rules) * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (snort3-file-office.rules) * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (snort3-file-multimedia.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (snort3-malware-cnc.rules) * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (snort3-file-office.rules) * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (snort3-file-multimedia.rules) * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (snort3-file-multimedia.rules) * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (snort3-file-pdf.rules) * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (snort3-file-multimedia.rules) * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (snort3-pua-adware.rules) * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (snort3-file-flash.rules) * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (snort3-pua-adware.rules) * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (snort3-server-webapp.rules) * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (snort3-server-webapp.rules) * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (snort3-server-webapp.rules) * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (snort3-server-mail.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (snort3-server-webapp.rules) * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (snort3-server-webapp.rules) * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (snort3-server-webapp.rules) * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (snort3-server-webapp.rules) * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (snort3-malware-cnc.rules) * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (snort3-malware-cnc.rules) * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (snort3-malware-cnc.rules) * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (snort3-server-webapp.rules) * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (snort3-server-webapp.rules) * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (snort3-server-webapp.rules) * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules) * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (snort3-file-office.rules) * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules) * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules) * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules) * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (snort3-malware-cnc.rules) * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (snort3-malware-cnc.rules) * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (snort3-server-webapp.rules) * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (snort3-server-webapp.rules) * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (snort3-server-webapp.rules) * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (snort3-server-webapp.rules) * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (snort3-server-webapp.rules) * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (snort3-server-webapp.rules)
* 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (snort3-file-pdf.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules) * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (snort3-pua-other.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules) * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules) * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules) * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules) * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules) * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules) * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules) * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
* 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules) * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules) * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules) * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules) * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules) * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules) * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules) * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules) * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules) * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules) * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules) * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules) * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules) * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules) * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules) * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules) * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules) * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules) * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules) * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules) * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules) * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
* 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules) * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules) * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules) * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
