Talos has added and modified multiple rules in the file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-mobile, policy-other, protocol-voip, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules) * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules) * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
* 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules) * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules) * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules) * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules) * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules) * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules) * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
* 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules) * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules) * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules) * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules) * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules) * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules)
* 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules) * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules) * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules) * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules) * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules) * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
* 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules) * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules) * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules) * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules) * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
* 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules) * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (snort3-server-webapp.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (snort3-file-other.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (snort3-indicator-compromise.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (snort3-indicator-compromise.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (snort3-indicator-compromise.rules) * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (snort3-indicator-compromise.rules) * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (snort3-server-webapp.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules) * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (snort3-server-webapp.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (snort3-file-other.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (snort3-file-other.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (snort3-file-other.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (snort3-server-webapp.rules) * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (snort3-malware-other.rules)
* 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (snort3-malware-cnc.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (snort3-malware-cnc.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (snort3-malware-cnc.rules) * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (snort3-malware-cnc.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (snort3-malware-cnc.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (snort3-malware-cnc.rules) * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (snort3-malware-other.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (snort3-server-apache.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (snort3-pua-other.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (snort3-malware-cnc.rules) * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (snort3-malware-cnc.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (snort3-malware-cnc.rules) * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (snort3-malware-cnc.rules) * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (snort3-malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (snort3-malware-cnc.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules) * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules) * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
* 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules) * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules) * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules) * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules) * 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52118 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52147 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52149 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52100 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52099 <-> DISABLED <-> SERVER-WEBAPP Jenkins SCM Git Client plugin command injection attempt (server-webapp.rules) * 1:52135 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52144 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52133 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52140 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52139 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52115 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52146 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52142 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52132 <-> DISABLED <-> FILE-OTHER Libmspack cabd_sys_read_block off-by-one heap overflow attempt (file-other.rules) * 1:52123 <-> DISABLED <-> SERVER-WEBAPP PHP FPM env_path_info buffer underflow attempt (server-webapp.rules) * 1:52136 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52143 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52101 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules) * 1:52125 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52124 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52116 <-> ENABLED <-> INDICATOR-COMPROMISE Win.Downloader.PowMet powershell script download attempt (indicator-compromise.rules) * 1:52113 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52138 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52117 <-> ENABLED <-> INDICATOR-COMPROMISE Xml.Downloader.PowMet fileless malware variant download attempt (indicator-compromise.rules) * 1:52134 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52112 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:52114 <-> DISABLED <-> FILE-OTHER Oracle Outside-In library CorelDRAW parsing integer overflow attempt (file-other.rules) * 1:52137 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:52141 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Agent variant download attempt (malware-other.rules) * 1:52130 <-> ENABLED <-> SERVER-WEBAPP Apache Struts OGNL expression injection attempt (server-webapp.rules) * 3:52128 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52122 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52110 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52127 <-> ENABLED <-> POLICY-OTHER Cisco Web Security Appliance system setup wizard access detected (policy-other.rules) * 3:52111 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52126 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules) * 3:52106 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52129 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules) * 3:52120 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52103 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52107 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52121 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52119 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules) * 3:52108 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52109 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52104 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52105 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52102 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:52131 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0948 attack attempt (server-other.rules)
* 1:29978 <-> ENABLED <-> MALWARE-CNC ANDR.Trojan.FakeApp outbound connection (malware-cnc.rules) * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules) * 1:46792 <-> ENABLED <-> MALWARE-CNC Outbound malicious vbscript attempt (malware-cnc.rules) * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules) * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules) * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules) * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules) * 1:43351 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Erebus variant outbound connection (malware-cnc.rules) * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules) * 1:50378 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Sodinokibi variant download attempt (malware-other.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules) * 1:16484 <-> ENABLED <-> MALWARE-CNC Koobface variant outbound connection (malware-cnc.rules) * 1:40081 <-> ENABLED <-> PUA-OTHER User-Agent known PUA user-agent string - TopTools100 (pua-other.rules) * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules) * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules) * 1:21760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules) * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
