Talos has added and modified multiple rules in the browser-ie, browser-webkit, file-office, file-other, file-pdf, malware-cnc, malware-other, os-linux, os-windows, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules) * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules) * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
* 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules) * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules) * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules) * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules) * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
* 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules) * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
* 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules) * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules) * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules) * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
* 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules) * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules) * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules) * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
* 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules) * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules) * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (snort3-malware-other.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (snort3-server-webapp.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (snort3-server-other.rules) * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (snort3-server-webapp.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (snort3-server-webapp.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (snort3-server-other.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (snort3-os-linux.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (snort3-server-webapp.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (snort3-server-other.rules) * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (snort3-server-other.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules) * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (snort3-malware-cnc.rules) * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (snort3-server-other.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (snort3-file-pdf.rules) * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (snort3-malware-other.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (snort3-file-pdf.rules)
* 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (snort3-browser-ie.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (snort3-file-office.rules) * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (snort3-file-office.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (snort3-server-webapp.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (snort3-server-oracle.rules) * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (snort3-browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules) * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules) * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
* 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules) * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules) * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules) * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules) * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules) * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules) * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules) * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules) * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules) * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules) * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules) * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules) * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules) * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules) * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules) * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules) * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
* 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules) * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules) * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules) * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules) * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules) * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
