Talos has added and modified multiple rules in the file-pdf, indicator-compromise, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules) * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules) * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules) * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules) * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules) * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules) * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules) * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules) * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules) * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules) * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules) * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules) * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules) * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules) * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules) * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules) * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules) * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
* 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules) * 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules) * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules) * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules) * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules) * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules) * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules) * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules) * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules) * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules) * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules) * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules) * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules) * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules) * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules) * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules) * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules) * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules) * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
* 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules) * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules) * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules) * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules) * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (snort3-malware-cnc.rules) * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules) * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules) * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (snort3-malware-cnc.rules) * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (snort3-malware-cnc.rules) * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (snort3-malware-other.rules) * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (snort3-malware-other.rules) * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (snort3-malware-cnc.rules) * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (snort3-malware-cnc.rules) * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (snort3-policy-other.rules) * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (snort3-server-webapp.rules) * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (snort3-server-webapp.rules) * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (snort3-server-webapp.rules) * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (snort3-server-webapp.rules) * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (snort3-server-webapp.rules) * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (snort3-server-webapp.rules) * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (snort3-server-webapp.rules) * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules) * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (snort3-malware-other.rules) * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (snort3-malware-cnc.rules) * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules) * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules) * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules) * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (snort3-malware-cnc.rules) * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (snort3-server-webapp.rules) * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (snort3-policy-other.rules) * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (snort3-malware-other.rules) * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (snort3-server-webapp.rules) * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (snort3-server-other.rules) * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (snort3-server-other.rules) * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (snort3-malware-cnc.rules) * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules) * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules) * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules) * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (snort3-malware-cnc.rules) * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules) * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules) * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules) * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules) * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (snort3-policy-other.rules) * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (snort3-malware-cnc.rules) * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (snort3-server-other.rules) * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (snort3-indicator-compromise.rules) * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (snort3-indicator-compromise.rules) * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (snort3-server-webapp.rules) * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules) * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (snort3-policy-other.rules) * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules) * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
* 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (snort3-server-webapp.rules) * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (snort3-server-webapp.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules) * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules) * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules) * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules) * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules) * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules) * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules) * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules) * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules) * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules) * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules) * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules) * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules) * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules) * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules) * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules) * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules)
* 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules) * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules) * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules) * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules) * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules) * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules) * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules) * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules) * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules) * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules) * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules) * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules) * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules) * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules) * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules) * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules) * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules) * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules) * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules) * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules) * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules) * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules) * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules) * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules) * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules) * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules) * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules) * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules) * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules) * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules)
* 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules) * 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules) * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
