Talos has added and modified multiple rules in the file-flash, file-identify, file-image, file-office, file-other, file-pdf, malware-cnc, malware-other, os-mobile, os-other, policy-other, protocol-other, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules) * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules) * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules) * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules) * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules) * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules) * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules) * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules) * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules) * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules) * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules) * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules) * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules) * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
* 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules) * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules) * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules) * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules) * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules) * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules) * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules) * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules) * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules) * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules) * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules) * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules) * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules) * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules) * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules) * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules) * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules) * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules) * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
* 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules) * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules) * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules) * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules) * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules) * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules) * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules) * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules) * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules) * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules) * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules) * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules) * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules) * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules) * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules) * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules) * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules) * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules) * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules) * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules) * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
* 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules) * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules) * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules) * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules) * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules) * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules) * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules) * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules) * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules) * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules) * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules) * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules) * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules) * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules) * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules) * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules) * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules) * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules) * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules) * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
* 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules) * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules) * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules) * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules) * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules) * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules) * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (snort3-server-other.rules) * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules) * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules) * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules) * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules) * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules) * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (snort3-server-other.rules) * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (snort3-protocol-voip.rules) * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules) * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (snort3-file-pdf.rules) * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules) * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (snort3-server-other.rules) * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (snort3-file-identify.rules) * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (snort3-file-other.rules) * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules) * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules) * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (snort3-file-pdf.rules) * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (snort3-os-mobile.rules) * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules) * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (snort3-server-webapp.rules) * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules) * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (snort3-protocol-voip.rules) * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules) * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (snort3-file-flash.rules) * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (snort3-server-webapp.rules) * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (snort3-server-other.rules) * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules) * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules) * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules) * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (snort3-server-webapp.rules) * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (snort3-server-webapp.rules) * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules) * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (snort3-malware-cnc.rules) * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (snort3-malware-other.rules) * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (snort3-policy-other.rules) * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (snort3-file-flash.rules) * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules) * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules) * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules) * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules) * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules) * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules) * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules) * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (snort3-protocol-other.rules) * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (snort3-os-mobile.rules) * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules) * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules) * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules) * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules) * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules) * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules) * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules) * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules) * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (snort3-server-other.rules) * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules)
* 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules) * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (snort3-file-identify.rules) * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules) * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (snort3-server-webapp.rules) * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (snort3-file-identify.rules) * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (snort3-file-identify.rules) * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (snort3-file-identify.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (snort3-malware-cnc.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (snort3-server-apache.rules) * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (snort3-file-identify.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (snort3-file-identify.rules) * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (snort3-file-identify.rules) * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (snort3-file-office.rules) * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (snort3-file-office.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules) * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (snort3-server-other.rules) * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (snort3-file-identify.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules) * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules) * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules) * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules) * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules) * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules) * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules) * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules) * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules) * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules) * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules) * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules) * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules) * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules) * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
* 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules) * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules) * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules) * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules) * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules) * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules) * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules) * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules) * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules) * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules) * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules) * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules) * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules) * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules) * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules) * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules) * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules) * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules) * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules) * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules) * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules) * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules) * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules) * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules) * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules) * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules) * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules) * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules) * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules) * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules) * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules) * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules) * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
* 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules) * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules) * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules) * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules) * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules) * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules) * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules) * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules) * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules) * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules) * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules) * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
