Talos has added and modified multiple rules in the browser-ie, file-other, file-pdf, malware-cnc, os-other, os-windows, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules) * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules) * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules) * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules) * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules) * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules) * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules) * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant outbound connection detected (malware-cnc.rules) * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules) * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules) * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules) * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules) * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules) * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules) * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
* 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules) * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules) * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules) * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules) * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules) * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules) * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules) * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules) * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules) * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant outbound connection detected (malware-cnc.rules) * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules) * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules) * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules) * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules) * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules) * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules) * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules) * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
* 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules) * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (snort3-server-webapp.rules) * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules) * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules) * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (snort3-server-webapp.rules) * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (snort3-server-webapp.rules) * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (snort3-server-webapp.rules) * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (snort3-server-webapp.rules) * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (snort3-file-other.rules) * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (snort3-server-apache.rules) * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (snort3-server-webapp.rules) * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (snort3-server-webapp.rules) * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (snort3-file-other.rules) * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules) * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (snort3-malware-cnc.rules) * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules) * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (snort3-file-other.rules) * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (snort3-browser-ie.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (snort3-server-other.rules) * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules) * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (snort3-file-other.rules) * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (snort3-server-webapp.rules) * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules) * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (snort3-server-webapp.rules) * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (snort3-server-webapp.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (snort3-server-webapp.rules) * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules) * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (snort3-protocol-scada.rules) * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (snort3-server-webapp.rules) * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant outbound connection detected (snort3-malware-cnc.rules) * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (snort3-server-webapp.rules) * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (snort3-malware-cnc.rules) * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (snort3-malware-cnc.rules) * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (snort3-malware-cnc.rules) * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (snort3-server-webapp.rules) * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (snort3-server-webapp.rules) * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (snort3-browser-ie.rules)
* 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (snort3-os-windows.rules) * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (snort3-server-other.rules) * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (snort3-server-webapp.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (snort3-server-webapp.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules) * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules) * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules) * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant outbound connection detected (malware-cnc.rules) * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules) * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules) * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules) * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules) * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules) * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules) * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules) * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules) * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules) * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules) * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules) * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules) * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
* 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules) * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules) * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules) * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules) * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules) * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules) * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules) * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules) * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules) * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules) * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules) * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules) * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules) * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules) * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules) * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules) * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules) * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules) * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules) * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules) * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules) * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules) * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules) * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules) * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules) * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules) * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant outbound connection detected (malware-cnc.rules) * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules) * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
* 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules) * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules) * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules) * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules) * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules) * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules) * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
