Talos has added and modified multiple rules in the deleted, file-image, malware-cnc, os-windows, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules) * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules) * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules) * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules) * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules) * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules) * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules) * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules) * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)
* 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules) * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules) * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules) * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules) * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules) * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules) * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules) * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules) * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)
* 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (snort3-os-windows.rules) * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (snort3-server-webapp.rules) * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (snort3-server-webapp.rules) * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules) * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules) * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules) * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules) * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules) * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (snort3-malware-cnc.rules) * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules) * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules) * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules) * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules) * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (snort3-server-webapp.rules) * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules) * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules) * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules) * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (snort3-malware-cnc.rules) * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (snort3-malware-cnc.rules) * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (snort3-server-webapp.rules) * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (snort3-server-webapp.rules) * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (snort3-server-webapp.rules) * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (snort3-server-webapp.rules) * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (snort3-malware-cnc.rules) * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (snort3-malware-cnc.rules) * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (snort3-server-webapp.rules) * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (snort3-malware-cnc.rules) * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (snort3-malware-cnc.rules) * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (snort3-malware-cnc.rules) * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (snort3-deleted.rules) * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (snort3-malware-cnc.rules)
* 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (snort3-os-windows.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (snort3-server-webapp.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (snort3-protocol-ftp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules) * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules) * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules) * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules) * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules) * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules) * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules) * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules) * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)
* 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules) * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules) * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules) * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules) * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules) * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules) * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules) * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules) * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)
* 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules) * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules) * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules) * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules) * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules) * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules) * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules) * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules) * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules) * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules) * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules) * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules) * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules) * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules) * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules) * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)
* 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules) * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
