Talos has added and modified multiple rules in the browser-ie, file-image, file-other, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules) * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules) * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules) * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules) * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules) * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules) * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules) * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules) * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules) * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules) * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules)
* 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules) * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules) * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules) * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules) * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules) * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules) * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules) * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules) * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules) * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules) * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules) * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules) * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
* 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (snort3-malware-cnc.rules) * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (snort3-malware-cnc.rules) * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (snort3-malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (snort3-malware-cnc.rules) * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (snort3-policy-other.rules) * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (snort3-file-other.rules) * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (snort3-file-other.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (snort3-server-webapp.rules) * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (snort3-file-pdf.rules) * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (snort3-file-pdf.rules) * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (snort3-indicator-compromise.rules) * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (snort3-indicator-compromise.rules) * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (snort3-indicator-compromise.rules) * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (snort3-indicator-compromise.rules) * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (snort3-indicator-compromise.rules) * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (snort3-indicator-compromise.rules) * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (snort3-indicator-compromise.rules) * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (snort3-indicator-compromise.rules)
* 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (snort3-indicator-compromise.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (snort3-indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (snort3-indicator-compromise.rules) * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (snort3-indicator-compromise.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (snort3-indicator-compromise.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (snort3-indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (snort3-indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (snort3-indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (snort3-indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (snort3-indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (snort3-indicator-compromise.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (snort3-indicator-compromise.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (snort3-indicator-compromise.rules) * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (snort3-browser-ie.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (snort3-indicator-compromise.rules) * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (snort3-browser-ie.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (snort3-indicator-compromise.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (snort3-indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (snort3-indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (snort3-indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (snort3-indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (snort3-indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (snort3-indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (snort3-indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (snort3-indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (snort3-indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (snort3-indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (snort3-indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (snort3-indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (snort3-indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (snort3-indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (snort3-indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (snort3-indicator-compromise.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (snort3-indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (snort3-indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (snort3-indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (snort3-indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (snort3-indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (snort3-indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (snort3-indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (snort3-indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (snort3-indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (snort3-indicator-compromise.rules) * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules) * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules) * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (snort3-indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (snort3-indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (snort3-indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules) * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules) * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules) * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules) * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules) * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules) * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules) * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules) * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules) * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules) * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules) * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
* 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules) * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules) * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules) * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules) * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules) * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules) * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules) * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules) * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules) * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules) * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules)
* 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules) * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules) * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules) * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules) * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules) * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules) * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules) * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules) * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules) * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules) * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules) * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules) * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules) * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules) * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules) * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules)
* 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules) * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules) * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules) * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules) * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules) * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules) * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules) * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules) * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules) * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules) * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules) * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules) * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules) * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules) * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules) * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules) * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules) * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules) * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules) * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules) * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules) * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules) * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules) * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules) * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules) * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules) * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules) * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules) * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules) * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules) * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules) * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules) * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules) * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules) * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules) * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules) * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules) * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules) * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules) * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules) * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules) * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules) * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules) * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules) * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules) * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules) * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules) * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules) * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
