Talos has added and modified multiple rules in the exploit-kit, file-flash, indicator-compromise, indicator-obfuscation, malware-cnc, os-windows, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules) * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules) * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules) * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules) * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules) * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules) * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules) * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules) * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules) * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules) * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules) * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules) * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules) * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules)
* 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules) * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules) * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules) * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules) * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules) * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules) * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules) * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules) * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules) * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules) * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules) * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules) * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules) * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules) * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules) * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules) * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules) * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
* 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules) * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules) * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules) * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules) * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules) * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules) * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules) * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules) * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules) * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules) * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules) * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules) * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules) * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules) * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules) * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules) * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
* 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules) * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules) * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules) * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules) * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules) * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules) * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules) * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules) * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules) * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules) * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules) * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules) * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules) * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
* 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules) * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules) * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules) * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules) * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (snort3-file-flash.rules) * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (snort3-server-webapp.rules) * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (snort3-file-flash.rules) * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (snort3-file-flash.rules) * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (snort3-policy-other.rules) * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (snort3-server-webapp.rules) * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (snort3-malware-cnc.rules) * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (snort3-malware-cnc.rules) * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (snort3-malware-cnc.rules) * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (snort3-server-webapp.rules) * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (snort3-server-other.rules) * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (snort3-server-other.rules) * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (snort3-exploit-kit.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (snort3-indicator-obfuscation.rules) * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (snort3-exploit-kit.rules) * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (snort3-server-webapp.rules) * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (snort3-server-webapp.rules) * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (snort3-exploit-kit.rules) * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (snort3-indicator-obfuscation.rules)
* 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (snort3-os-windows.rules) * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (snort3-server-webapp.rules) * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (snort3-indicator-compromise.rules) * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (snort3-indicator-compromise.rules) * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (snort3-os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules) * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules) * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules) * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules) * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules) * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules) * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules) * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules) * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules) * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules) * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules) * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules) * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules) * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules)
* 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules) * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules) * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules) * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules) * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules) * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules) * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules) * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules) * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules) * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules) * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules) * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules) * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules) * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules) * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules) * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules) * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules) * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules) * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules) * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules) * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules) * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
* 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules) * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules) * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules) * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules) * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules) * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules) * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
