Talos has added and modified multiple rules in the browser-ie, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules) * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules) * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules) * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules) * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules) * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules) * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules) * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules) * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules) * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules) * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules) * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules) * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules) * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules) * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules) * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules) * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules)
* 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules) * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules) * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules) * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules) * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules) * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules) * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules) * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules) * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules) * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules) * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules) * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules) * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules) * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules) * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules) * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules) * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules) * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules) * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules) * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules) * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules) * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules) * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules) * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
* 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (snort3-indicator-compromise.rules) * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (snort3-indicator-compromise.rules) * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (snort3-file-other.rules) * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (snort3-indicator-compromise.rules) * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (snort3-indicator-compromise.rules) * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (snort3-indicator-compromise.rules) * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (snort3-indicator-compromise.rules) * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (snort3-indicator-compromise.rules) * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (snort3-indicator-compromise.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (snort3-file-other.rules) * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (snort3-indicator-compromise.rules) * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (snort3-indicator-compromise.rules) * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (snort3-indicator-compromise.rules) * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (snort3-file-other.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (snort3-indicator-compromise.rules) * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (snort3-indicator-compromise.rules) * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (snort3-indicator-compromise.rules) * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (snort3-indicator-compromise.rules) * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (snort3-indicator-compromise.rules) * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (snort3-indicator-compromise.rules) * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (snort3-indicator-compromise.rules) * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (snort3-indicator-compromise.rules) * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (snort3-indicator-compromise.rules) * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (snort3-indicator-compromise.rules) * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (snort3-indicator-compromise.rules) * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (snort3-indicator-compromise.rules) * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (snort3-indicator-compromise.rules) * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (snort3-indicator-compromise.rules) * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (snort3-indicator-compromise.rules) * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (snort3-indicator-compromise.rules) * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (snort3-indicator-compromise.rules) * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (snort3-indicator-compromise.rules) * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (snort3-indicator-compromise.rules) * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (snort3-indicator-compromise.rules) * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (snort3-indicator-compromise.rules) * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (snort3-indicator-compromise.rules) * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (snort3-indicator-compromise.rules) * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (snort3-indicator-compromise.rules) * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (snort3-indicator-compromise.rules) * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (snort3-indicator-compromise.rules) * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (snort3-indicator-compromise.rules) * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (snort3-indicator-compromise.rules) * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (snort3-indicator-compromise.rules) * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (snort3-indicator-compromise.rules) * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (snort3-indicator-compromise.rules) * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (snort3-file-other.rules) * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (snort3-file-other.rules) * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (snort3-file-other.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
* 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules) * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (snort3-file-pdf.rules) * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (snort3-file-pdf.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules) * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules) * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules) * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules) * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules) * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules) * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules) * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules) * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules) * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules) * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules) * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules) * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules) * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules) * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules) * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules)
* 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules) * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules) * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules) * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules) * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules) * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules) * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules) * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules) * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules) * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules) * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules) * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules) * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules) * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules) * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules) * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules) * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules) * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules) * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules) * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
* 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules) * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules) * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules) * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules) * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules) * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules) * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules) * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules) * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules) * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules) * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules) * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules) * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules) * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules) * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules) * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules) * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules) * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules) * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules) * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules) * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules) * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules) * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules) * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules) * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules) * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules) * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules) * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules) * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules) * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules) * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
* 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules) * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
