Talos has added and modified multiple rules in the browser-ie, file-identify, indicator-compromise, malware-cnc, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51714 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51712 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.NanoCore DNS request for known malware domain bsbs.duckdns.org (indicator-compromise.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:51685 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules) * 1:51727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51725 <-> DISABLED <-> SERVER-WEBAPP HAProxy H2 Frame heap memory corruption attempt (server-webapp.rules) * 1:51724 <-> DISABLED <-> SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt (server-other.rules) * 1:51723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51715 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 3:51690 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51700 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51695 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51691 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51708 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51707 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51706 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51705 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51704 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51703 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51702 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51701 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51694 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51692 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51693 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51699 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51687 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51688 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51689 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51698 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51729 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51728 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51719 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51718 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51717 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51716 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51696 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51713 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN denial of service attempt (server-webapp.rules) * 3:51711 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51710 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51697 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51709 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules)
* 1:45585 <-> DISABLED <-> SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt (server-webapp.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51725 <-> DISABLED <-> SERVER-WEBAPP HAProxy H2 Frame heap memory corruption attempt (server-webapp.rules) * 1:51727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51715 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51685 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:51712 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.NanoCore DNS request for known malware domain bsbs.duckdns.org (indicator-compromise.rules) * 1:51714 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51724 <-> DISABLED <-> SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt (server-other.rules) * 1:51720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 3:51713 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN denial of service attempt (server-webapp.rules) * 3:51691 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51711 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51716 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51699 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51689 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51700 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51717 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51701 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51692 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51693 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51703 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51702 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51697 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51704 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51705 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51688 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51706 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51707 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51709 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51710 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51698 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51708 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51718 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51729 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51728 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51719 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51687 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51694 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51695 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51696 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51690 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules)
* 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:45585 <-> DISABLED <-> SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51724 <-> DISABLED <-> SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt (server-other.rules) * 1:51712 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.NanoCore DNS request for known malware domain bsbs.duckdns.org (indicator-compromise.rules) * 1:51715 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51725 <-> DISABLED <-> SERVER-WEBAPP HAProxy H2 Frame heap memory corruption attempt (server-webapp.rules) * 1:51722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51714 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:51721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51685 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules) * 3:51691 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51690 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51689 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51697 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51688 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51717 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51716 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51701 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51718 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51719 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51728 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51729 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51695 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51694 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51687 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51699 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51696 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51702 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51700 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51692 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51693 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51711 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51713 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN denial of service attempt (server-webapp.rules) * 3:51710 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51698 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51708 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51709 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51706 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51707 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51705 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51704 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51703 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules)
* 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:45585 <-> DISABLED <-> SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt (server-webapp.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51725 <-> DISABLED <-> SERVER-WEBAPP HAProxy H2 Frame heap memory corruption attempt (server-webapp.rules) * 1:51685 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:51712 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.NanoCore DNS request for known malware domain bsbs.duckdns.org (indicator-compromise.rules) * 1:51721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51714 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51724 <-> DISABLED <-> SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt (server-other.rules) * 1:51726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51715 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 3:51695 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51717 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51696 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51691 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51687 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51694 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51713 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN denial of service attempt (server-webapp.rules) * 3:51690 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51688 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51689 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51697 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51718 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51719 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51701 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51728 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51716 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51692 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51702 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51693 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51700 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51699 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51703 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51711 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51704 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51729 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51705 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51706 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51707 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51708 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51709 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51710 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51698 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules)
* 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:45585 <-> DISABLED <-> SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51724 <-> DISABLED <-> SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt (snort3-server-other.rules) * 1:51725 <-> DISABLED <-> SERVER-WEBAPP HAProxy H2 Frame heap memory corruption attempt (snort3-server-webapp.rules) * 1:51721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (snort3-malware-cnc.rules) * 1:51720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (snort3-malware-cnc.rules) * 1:51722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (snort3-malware-cnc.rules) * 1:51714 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (snort3-browser-ie.rules) * 1:51685 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (snort3-server-other.rules) * 1:51712 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.NanoCore DNS request for known malware domain bsbs.duckdns.org (snort3-indicator-compromise.rules) * 1:51726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (snort3-malware-cnc.rules) * 1:51727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (snort3-malware-cnc.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (snort3-server-webapp.rules) * 1:51723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (snort3-malware-cnc.rules) * 1:51715 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (snort3-browser-ie.rules)
* 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (snort3-indicator-compromise.rules) * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (snort3-file-identify.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-malware-cnc.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-malware-cnc.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (snort3-server-mail.rules) * 1:45585 <-> DISABLED <-> SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt (snort3-server-webapp.rules) * 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (snort3-file-identify.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51724 <-> DISABLED <-> SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt (server-other.rules) * 1:51720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51712 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.NanoCore DNS request for known malware domain bsbs.duckdns.org (indicator-compromise.rules) * 1:51714 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51725 <-> DISABLED <-> SERVER-WEBAPP HAProxy H2 Frame heap memory corruption attempt (server-webapp.rules) * 1:51685 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules) * 1:51727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:51721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51715 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 3:51717 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51695 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51701 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51728 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51689 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51699 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51697 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51696 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51729 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51719 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51691 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51702 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51718 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51693 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51700 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51690 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51692 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51716 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51713 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN denial of service attempt (server-webapp.rules) * 3:51708 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51710 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51706 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51698 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51709 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51707 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51704 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51705 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51703 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51688 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51687 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51694 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51711 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules)
* 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:45585 <-> DISABLED <-> SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt (server-webapp.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51720 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51724 <-> DISABLED <-> SERVER-OTHER Novell Remote Manager off-by-one denial of service attempt (server-other.rules) * 1:51685 <-> DISABLED <-> SERVER-OTHER Symantec AMS Intel handler service overly large size1 dos attempt (server-other.rules) * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules) * 1:51712 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.NanoCore DNS request for known malware domain bsbs.duckdns.org (indicator-compromise.rules) * 1:51714 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51715 <-> DISABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules) * 1:51725 <-> DISABLED <-> SERVER-WEBAPP HAProxy H2 Frame heap memory corruption attempt (server-webapp.rules) * 1:51723 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51726 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51727 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant proxy connection detected (malware-cnc.rules) * 1:51722 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 1:51721 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alreay malicious executable download attempt (malware-cnc.rules) * 3:51691 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51716 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51717 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51695 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51696 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51690 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51697 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51698 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51699 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51692 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51729 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51719 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51718 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51701 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51693 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51689 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51687 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51711 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51713 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN denial of service attempt (server-webapp.rules) * 3:51694 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51708 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51706 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51707 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51704 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51709 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51702 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51728 <-> ENABLED <-> SERVER-WEBAPP Cisco WebVPN cross site scripting attempt (server-webapp.rules) * 3:51710 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center command injection attempt (server-webapp.rules) * 3:51705 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center directory traversal attempt (server-webapp.rules) * 3:51688 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51700 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules) * 3:51703 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Management Center SQL injection attempt (server-webapp.rules)
* 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules) * 1:20472 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:45585 <-> DISABLED <-> SERVER-WEBAPP PMSotware Simple Web Server connection header buffer overflow attempt (server-webapp.rules) * 1:23659 <-> ENABLED <-> FILE-IDENTIFY RAR file magic detected (file-identify.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
