Talos has added and modified multiple rules in the browser-chrome, browser-plugins, browser-webkit, file-pdf, malware-cnc, malware-other, os-solaris, os-windows, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules) * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)
* 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules) * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules) * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules) * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
* 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules) * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules) * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
* 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules) * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules) * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules) * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
* 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules) * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules) * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)
* 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (snort3-browser-chrome.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (snort3-os-solaris.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (snort3-os-solaris.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (snort3-malware-other.rules) * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (snort3-server-other.rules) * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (snort3-server-other.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (snort3-os-windows.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (snort3-malware-cnc.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (snort3-browser-webkit.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (snort3-malware-cnc.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (snort3-server-other.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (snort3-malware-other.rules) * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (snort3-malware-other.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (snort3-browser-webkit.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (snort3-browser-chrome.rules) * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (snort3-browser-plugins.rules)
* 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (snort3-browser-plugins.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules) * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules) * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules) * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules) * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
* 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules) * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules) * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules) * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules) * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules) * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules) * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules) * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules) * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules) * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules) * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules) * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules) * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
* 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules) * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules) * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules) * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
