Talos has added and modified multiple rules in the indicator-shellcode, malware-cnc, malware-other, os-windows, protocol-services, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules) * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules) * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules) * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
* 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules) * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules) * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules) * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules) * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules) * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules) * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
* 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules) * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules) * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules) * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules) * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules) * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
* 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules) * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules) * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules) * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules) * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules) * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules)
* 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules) * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules) * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules) * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules) * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules) * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules) * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (snort3-indicator-shellcode.rules) * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (snort3-malware-other.rules) * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules) * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (snort3-server-webapp.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (snort3-server-apache.rules) * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules) * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (snort3-server-webapp.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (snort3-malware-cnc.rules) * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules) * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (snort3-malware-cnc.rules) * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (snort3-indicator-shellcode.rules)
* 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules) * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (snort3-protocol-services.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules) * 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (snort3-protocol-services.rules) * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (snort3-protocol-services.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules) * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules) * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (snort3-os-windows.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules) * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (snort3-protocol-services.rules) * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (snort3-server-webapp.rules) * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (snort3-os-windows.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules) * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (snort3-protocol-services.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules) * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules) * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules)
* 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules) * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules) * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51556 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules) * 1:51551 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51536 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Agent IoT backdoor download (malware-other.rules) * 1:51552 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51539 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51554 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51548 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51553 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51541 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51555 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:51538 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:51546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51550 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51537 <-> ENABLED <-> SERVER-WEBAPP WordPress Print-My-Blog plugin server side request forgery attempt (server-webapp.rules) * 1:51544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected (malware-cnc.rules) * 1:51540 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:51549 <-> ENABLED <-> MALWARE-CNC Win.Malware.Divergent variant outbound connection (malware-cnc.rules) * 1:51557 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules)
* 1:602 <-> DISABLED <-> PROTOCOL-SERVICES rlogin bin (protocol-services.rules) * 1:15680 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow QuickTime file atom size parsing heap corruption attempt (os-windows.rules) * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:2582 <-> DISABLED <-> OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt (os-windows.rules) * 1:605 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:603 <-> DISABLED <-> PROTOCOL-SERVICES rlogin echo++ (protocol-services.rules) * 1:606 <-> DISABLED <-> PROTOCOL-SERVICES rlogin root (protocol-services.rules) * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules) * 1:49451 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules) * 1:24628 <-> DISABLED <-> SERVER-WEBAPP Webmin show.cgi arbitrary command injection attempt (server-webapp.rules) * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules) * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules) * 1:601 <-> DISABLED <-> PROTOCOL-SERVICES rlogin LinuxNIS (protocol-services.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
