Talos has added and modified multiple rules in the file-identify, file-office, file-pdf, malware-backdoor, malware-cnc, malware-other, malware-tools, os-windows, protocol-dns, protocol-telnet, pua-p2p, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules) * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules) * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)
* 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules) * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules) * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules) * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules) * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules) * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules) * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules) * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules) * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules) * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules) * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules) * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules) * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules) * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules) * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules) * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules) * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)
* 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules) * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules) * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules) * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules) * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules) * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules) * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules) * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules) * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules) * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules) * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules) * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules) * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules) * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (snort3-file-pdf.rules) * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (snort3-server-webapp.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (snort3-malware-cnc.rules) * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (snort3-server-webapp.rules) * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (snort3-server-apache.rules) * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (snort3-server-apache.rules) * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (snort3-file-pdf.rules) * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (snort3-server-apache.rules) * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (snort3-file-pdf.rules) * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (snort3-file-pdf.rules)
* 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (snort3-pua-p2p.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (snort3-os-windows.rules) * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (snort3-malware-backdoor.rules) * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (snort3-pua-p2p.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (snort3-os-windows.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (snort3-malware-cnc.rules) * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (snort3-file-identify.rules) * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (snort3-malware-cnc.rules) * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (snort3-malware-backdoor.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (snort3-malware-other.rules) * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (snort3-malware-tools.rules) * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (snort3-malware-tools.rules) * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (snort3-file-office.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (snort3-protocol-dns.rules) * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (snort3-malware-cnc.rules) * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (snort3-protocol-telnet.rules) * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (snort3-file-identify.rules) * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (snort3-protocol-telnet.rules) * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (snort3-pua-p2p.rules) * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (snort3-server-other.rules) * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (snort3-server-other.rules) * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (snort3-os-windows.rules) * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (snort3-malware-cnc.rules) * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (snort3-malware-cnc.rules) * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (snort3-file-identify.rules) * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (snort3-malware-backdoor.rules) * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (snort3-file-identify.rules) * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (snort3-os-windows.rules) * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (snort3-file-identify.rules) * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (snort3-file-identify.rules) * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (snort3-malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules) * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules) * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)
* 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules) * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules) * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules) * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules) * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules) * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules) * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules) * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules) * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules) * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules) * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules) * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules) * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules) * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules) * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules) * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules) * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules) * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules) * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules) * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules) * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules) * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules) * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)
* 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules) * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules) * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules) * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules) * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules) * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules) * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules) * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules) * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules) * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules) * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules) * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules) * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules) * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules) * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules) * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules) * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules) * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules) * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules) * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules) * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules) * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules) * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules) * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules) * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
