Talos has added and modified multiple rules in the browser-ie, file-office, indicator-scan, malware-cnc, malware-other, os-other, os-windows, protocol-dns, protocol-telnet, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules) * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules) * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules) * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules) * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules) * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules) * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules) * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules) * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules) * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules) * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules) * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules) * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
* 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules) * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules) * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules) * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules) * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules) * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules) * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules) * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules) * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules) * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules) * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules) * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules) * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules) * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules) * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
* 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules) * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules) * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules) * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules) * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules) * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules) * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules) * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules) * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules) * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules) * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules) * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules) * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
* 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules) * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules) * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules) * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules) * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules) * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules) * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules) * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules) * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules) * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules) * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules) * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules) * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules) * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
* 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules) * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (snort3-server-webapp.rules) * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules) * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (snort3-file-office.rules) * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules) * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (snort3-malware-other.rules) * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (snort3-malware-cnc.rules) * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules) * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules) * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (snort3-malware-other.rules) * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules) * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules) * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (snort3-file-office.rules) * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (snort3-file-office.rules) * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (snort3-malware-other.rules) * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules) * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (snort3-malware-cnc.rules) * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules) * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules) * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules) * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (snort3-protocol-telnet.rules) * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (snort3-malware-cnc.rules) * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (snort3-server-other.rules) * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (snort3-browser-ie.rules) * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules) * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules) * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (snort3-server-other.rules) * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules) * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (snort3-file-office.rules) * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules) * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules) * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules) * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules) * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules) * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules) * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules) * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (snort3-file-office.rules) * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (snort3-malware-cnc.rules) * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules) * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (snort3-browser-ie.rules) * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (snort3-server-other.rules) * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (snort3-file-office.rules) * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules) * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules) * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules) * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules) * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules) * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules) * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (snort3-file-office.rules) * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules) * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules) * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (snort3-indicator-scan.rules) * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (snort3-server-webapp.rules) * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (snort3-malware-cnc.rules) * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (snort3-malware-cnc.rules) * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules) * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules) * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules) * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules) * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules) * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules)
* 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (snort3-file-office.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (snort3-server-other.rules) * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (snort3-file-office.rules) * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (snort3-server-iis.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (snort3-server-other.rules) * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (snort3-file-office.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (snort3-server-other.rules) * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (snort3-file-office.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (snort3-malware-cnc.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (snort3-server-other.rules) * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (snort3-server-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (snort3-server-other.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (snort3-protocol-dns.rules) * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (snort3-server-webapp.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (snort3-server-other.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (snort3-server-iis.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules) * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules) * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules) * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules) * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules) * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules) * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules) * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules) * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules) * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules) * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules) * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules) * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules) * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
* 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules) * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules) * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules) * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules) * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules) * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules) * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules) * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules) * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules) * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules) * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules) * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules) * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules) * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules) * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules) * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules) * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules) * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules) * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules) * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules) * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules) * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules) * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules) * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules) * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules) * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules) * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules) * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules) * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
* 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules) * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules) * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules) * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules) * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules) * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules) * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules) * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules) * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules) * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules) * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules) * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
