Talos has added and modified multiple rules in the file-office, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules) * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules) * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules) * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
* 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules) * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules) * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules) * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
* 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules) * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules) * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules) * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules) * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (snort3-file-office.rules) * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (snort3-file-office.rules) * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (snort3-file-office.rules) * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (snort3-file-office.rules) * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules) * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (snort3-server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules) * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (snort3-server-webapp.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules) * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules) * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (snort3-server-webapp.rules) * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (snort3-policy-other.rules) * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (snort3-policy-other.rules) * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (snort3-server-webapp.rules) * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules) * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (snort3-server-webapp.rules) * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (snort3-malware-cnc.rules) * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (snort3-malware-cnc.rules) * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (snort3-malware-cnc.rules) * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (snort3-server-other.rules) * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (snort3-server-other.rules) * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (snort3-file-other.rules) * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (snort3-file-other.rules) * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (snort3-server-other.rules) * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (snort3-server-other.rules) * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules) * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules) * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules)
* 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (snort3-file-other.rules) * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (snort3-file-other.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules) * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules) * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
* 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules) * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules) * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules) * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules) * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules) * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules) * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules) * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules) * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules) * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules) * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules) * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules) * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules) * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
* 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules) * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules) * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
