Talos has added and modified multiple rules in the file-other, file-pdf, malware-cnc, os-windows, protocol-scada and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules) * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request (protocol-scada.rules) * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request (protocol-scada.rules) * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules) * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request (protocol-scada.rules) * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request (protocol-scada.rules) * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules) * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules) * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules) * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules) * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules) * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules) * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules) * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules) * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request (protocol-scada.rules) * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request (protocol-scada.rules) * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request (protocol-scada.rules) * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules) * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request (protocol-scada.rules) * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request (protocol-scada.rules) * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request (protocol-scada.rules) * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request (protocol-scada.rules) * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request (protocol-scada.rules) * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request (protocol-scada.rules) * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request (protocol-scada.rules) * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request (protocol-scada.rules) * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request (protocol-scada.rules) * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules) * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules) * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules) * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules) * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules) * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules) * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request (protocol-scada.rules) * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request (protocol-scada.rules) * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request (protocol-scada.rules) * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request (protocol-scada.rules) * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request (protocol-scada.rules) * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request (protocol-scada.rules) * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request (protocol-scada.rules) * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request (protocol-scada.rules) * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules) * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules) * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules) * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules) * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules) * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules) * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules) * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules) * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules) * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules) * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules) * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules) * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules) * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules) * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules) * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules) * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules) * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules) * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules) * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules) * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules) * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules)
* 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules) * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules) * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules) * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules) * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules) * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules) * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules) * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules) * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules) * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules) * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules) * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules) * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules) * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules) * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request (protocol-scada.rules) * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request (protocol-scada.rules) * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request (protocol-scada.rules) * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request (protocol-scada.rules) * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request (protocol-scada.rules) * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request (protocol-scada.rules) * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request (protocol-scada.rules) * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request (protocol-scada.rules) * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request (protocol-scada.rules) * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request (protocol-scada.rules) * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request (protocol-scada.rules) * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request (protocol-scada.rules) * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request (protocol-scada.rules) * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request (protocol-scada.rules) * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request (protocol-scada.rules) * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request (protocol-scada.rules) * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request (protocol-scada.rules) * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request (protocol-scada.rules) * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request (protocol-scada.rules) * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request (protocol-scada.rules) * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request (protocol-scada.rules) * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request (protocol-scada.rules) * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request (protocol-scada.rules) * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request (protocol-scada.rules) * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules) * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules) * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules) * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules) * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules) * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules) * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules) * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules) * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules) * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules) * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules) * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules) * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules) * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules) * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules) * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules) * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules) * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules) * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules) * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules) * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules) * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules) * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules) * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules) * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules) * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules)
* 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules) * 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (snort3-file-pdf.rules) * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request (snort3-protocol-scada.rules) * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (snort3-pua-adware.rules) * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (snort3-pua-adware.rules) * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (snort3-pua-adware.rules) * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request (snort3-protocol-scada.rules) * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (snort3-os-windows.rules) * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (snort3-os-windows.rules) * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (snort3-file-other.rules) * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (snort3-file-other.rules) * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request (snort3-protocol-scada.rules) * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request (snort3-protocol-scada.rules) * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request (snort3-protocol-scada.rules) * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request (snort3-protocol-scada.rules) * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request (snort3-protocol-scada.rules) * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request (snort3-protocol-scada.rules) * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request (snort3-protocol-scada.rules) * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request (snort3-protocol-scada.rules) * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request (snort3-protocol-scada.rules) * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request (snort3-protocol-scada.rules) * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request (snort3-protocol-scada.rules) * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request (snort3-protocol-scada.rules) * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request (snort3-protocol-scada.rules) * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request (snort3-protocol-scada.rules) * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request (snort3-protocol-scada.rules) * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (snort3-malware-cnc.rules) * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request (snort3-protocol-scada.rules) * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request (snort3-protocol-scada.rules) * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request (snort3-protocol-scada.rules) * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request (snort3-protocol-scada.rules) * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (snort3-protocol-scada.rules) * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (snort3-protocol-scada.rules) * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (snort3-protocol-scada.rules) * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (snort3-protocol-scada.rules) * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request (snort3-protocol-scada.rules) * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (snort3-protocol-scada.rules) * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (snort3-protocol-scada.rules) * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (snort3-protocol-scada.rules) * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (snort3-protocol-scada.rules) * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (snort3-protocol-scada.rules) * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (snort3-protocol-scada.rules) * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (snort3-protocol-scada.rules) * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (snort3-protocol-scada.rules) * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (snort3-protocol-scada.rules) * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (snort3-protocol-scada.rules) * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (snort3-protocol-scada.rules) * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (snort3-protocol-scada.rules) * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (snort3-protocol-scada.rules) * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (snort3-protocol-scada.rules) * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (snort3-protocol-scada.rules) * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (snort3-protocol-scada.rules) * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (snort3-protocol-scada.rules) * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (snort3-protocol-scada.rules) * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (snort3-protocol-scada.rules) * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (snort3-protocol-scada.rules) * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (snort3-protocol-scada.rules) * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (snort3-protocol-scada.rules) * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (snort3-malware-cnc.rules) * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (snort3-file-pdf.rules) * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request (snort3-protocol-scada.rules) * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (snort3-malware-cnc.rules) * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request (snort3-protocol-scada.rules) * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (snort3-malware-cnc.rules)
* 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (snort3-malware-cnc.rules) * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules) * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules) * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules) * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request (protocol-scada.rules) * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request (protocol-scada.rules) * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request (protocol-scada.rules) * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request (protocol-scada.rules) * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request (protocol-scada.rules) * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request (protocol-scada.rules) * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request (protocol-scada.rules) * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request (protocol-scada.rules) * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request (protocol-scada.rules) * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request (protocol-scada.rules) * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request (protocol-scada.rules) * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request (protocol-scada.rules) * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request (protocol-scada.rules) * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request (protocol-scada.rules) * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request (protocol-scada.rules) * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request (protocol-scada.rules) * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request (protocol-scada.rules) * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request (protocol-scada.rules) * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request (protocol-scada.rules) * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules) * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules) * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules) * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules) * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules) * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules) * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules) * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules) * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules) * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules) * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules) * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules) * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules) * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request (protocol-scada.rules) * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules) * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules) * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules) * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules) * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules) * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules) * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules) * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules) * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules) * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules) * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules) * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request (protocol-scada.rules) * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules) * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules) * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules) * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules) * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request (protocol-scada.rules) * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request (protocol-scada.rules) * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request (protocol-scada.rules) * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules) * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules) * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules) * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules) * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules) * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules) * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules) * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules)
* 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules) * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:48982 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock outbound connection (malware-cnc.rules) * 1:48998 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII request (protocol-scada.rules) * 1:48997 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII request (protocol-scada.rules) * 1:48996 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Longs ASCII request (protocol-scada.rules) * 1:48995 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII request (protocol-scada.rules) * 1:48994 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII request (protocol-scada.rules) * 1:48993 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Longs ASCII request (protocol-scada.rules) * 1:48992 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII request (protocol-scada.rules) * 1:48991 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII request (protocol-scada.rules) * 1:48990 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII request (protocol-scada.rules) * 1:48989 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII request (protocol-scada.rules) * 1:48988 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII request (protocol-scada.rules) * 1:48987 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII request (protocol-scada.rules) * 1:48986 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII request (protocol-scada.rules) * 1:48985 <-> DISABLED <-> PROTOCOL-SCADA PCOM Init Device ASCII request (protocol-scada.rules) * 1:48984 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII request (protocol-scada.rules) * 1:48983 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.MongoLock inbound connection (malware-cnc.rules) * 1:49001 <-> DISABLED <-> PROTOCOL-SCADA PCOM Start Device ASCII request (protocol-scada.rules) * 1:49000 <-> DISABLED <-> PROTOCOL-SCADA PCOM Stop Device ASCII request (protocol-scada.rules) * 1:48999 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII request (protocol-scada.rules) * 1:49004 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII request (protocol-scada.rules) * 1:49003 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII request (protocol-scada.rules) * 1:49002 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Longs ASCII request (protocol-scada.rules) * 1:49006 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Longs ASCII request (protocol-scada.rules) * 1:49005 <-> DISABLED <-> PROTOCOL-SCADA PCOM Reset Device ASCII request (protocol-scada.rules) * 1:49009 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set UnitID ASCII reply (protocol-scada.rules) * 1:49008 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary request (protocol-scada.rules) * 1:49007 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII request (protocol-scada.rules) * 1:49011 <-> DISABLED <-> PROTOCOL-SCADA PCOM Identification ASCII reply (protocol-scada.rules) * 1:49010 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get RTC ASCII reply (protocol-scada.rules) * 1:49012 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary request (protocol-scada.rules) * 1:49033 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary reply (protocol-scada.rules) * 1:49032 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Data Table binary reply (protocol-scada.rules) * 1:49031 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary reply (protocol-scada.rules) * 1:49030 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Operands binary reply (protocol-scada.rules) * 1:49029 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Longs ASCII reply (protocol-scada.rules) * 1:49028 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply (protocol-scada.rules) * 1:49027 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Ouputs ASCII reply (protocol-scada.rules) * 1:49026 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Bits ASCII reply (protocol-scada.rules) * 1:49025 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write System Integers ASCII reply (protocol-scada.rules) * 1:49024 <-> DISABLED <-> PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply (protocol-scada.rules) * 1:49023 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply (protocol-scada.rules) * 1:49022 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply (protocol-scada.rules) * 1:49021 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Ouputs ASCII reply (protocol-scada.rules) * 1:49020 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Integers ASCII reply (protocol-scada.rules) * 1:49019 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Longs ASCII reply (protocol-scada.rules) * 1:49018 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read System Bits ASCII reply (protocol-scada.rules) * 1:49017 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Inputs ASCII reply (protocol-scada.rules) * 1:49016 <-> DISABLED <-> PROTOCOL-SCADA PCOM Set RTC ASCII reply (protocol-scada.rules) * 1:49015 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get PLC Name binary request (protocol-scada.rules) * 1:49014 <-> DISABLED <-> PROTOCOL-SCADA PCOM Read Data Table binary request (protocol-scada.rules) * 1:49013 <-> DISABLED <-> PROTOCOL-SCADA PCOM Get UnitID ASCII reply (protocol-scada.rules) * 1:49044 <-> DISABLED <-> PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected (pua-adware.rules) * 1:49043 <-> DISABLED <-> PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected (pua-adware.rules) * 1:49042 <-> DISABLED <-> PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected (pua-adware.rules) * 1:49041 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:49040 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Terminal server RDP bypass attempt (os-windows.rules) * 1:49039 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 1:49038 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file email address remote code execution attempt (file-other.rules) * 1:49037 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:49036 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules) * 1:49035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 1:49034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt (malware-cnc.rules) * 3:49046 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:49047 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0763 attack attempt (protocol-scada.rules) * 3:48981 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0765 attack attempt (protocol-scada.rules) * 3:49045 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0762 attack attempt (file-other.rules) * 3:48979 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0764 attack attempt (protocol-scada.rules) * 3:48980 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0766 attack attempt (protocol-scada.rules) * 3:48975 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0767 attack attempt (protocol-scada.rules) * 3:48978 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0768 attack attempt (protocol-scada.rules) * 3:48977 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0770 attack attempt (protocol-scada.rules) * 3:48976 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0769 attack attempt (protocol-scada.rules)
* 1:31033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection (malware-cnc.rules) * 1:48359 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion unauthenticated file upload attempt (server-other.rules) * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
