Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (server-mysql.rules) * 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (os-windows.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (server-other.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (indicator-compromise.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (malware-other.rules) * 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (malware-cnc.rules) * 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 3:52432 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52433 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52444 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
* 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (malware-cnc.rules) * 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (malware-cnc.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (server-mysql.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (os-windows.rules) * 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (malware-other.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (server-other.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (indicator-compromise.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 3:52444 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:52432 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52433 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules)
* 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules) * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (malware-cnc.rules) * 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (malware-cnc.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (server-other.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (indicator-compromise.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (malware-other.rules) * 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (server-mysql.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (os-windows.rules) * 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 3:52432 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52433 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52444 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
* 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules) * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (malware-cnc.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (malware-other.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (server-other.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (server-mysql.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (os-windows.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (indicator-compromise.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (malware-cnc.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 3:52444 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:52433 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52432 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules)
* 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (malware-cnc.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (os-windows.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (indicator-compromise.rules) * 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (server-other.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (server-mysql.rules) * 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (malware-cnc.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (malware-other.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 3:52444 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:52432 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52433 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules)
* 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (malware-cnc.rules) * 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (snort3-malware-other.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (snort3-server-mysql.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules) * 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (snort3-browser-firefox.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (snort3-server-other.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (snort3-os-windows.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (snort3-malware-other.rules) * 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (snort3-malware-cnc.rules) * 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (snort3-file-office.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (snort3-malware-other.rules) * 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (snort3-file-office.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (snort3-malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (snort3-malware-other.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (snort3-malware-other.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (snort3-browser-firefox.rules) * 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (snort3-malware-other.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (snort3-malware-other.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (snort3-malware-other.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (snort3-malware-other.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (snort3-malware-other.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (snort3-malware-other.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (snort3-malware-other.rules) * 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (snort3-malware-other.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (snort3-indicator-compromise.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (snort3-malware-other.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (snort3-malware-other.rules) * 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (snort3-malware-other.rules)
* 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (snort3-browser-ie.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (snort3-malware-cnc.rules) * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (snort3-exploit-kit.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (snort3-file-pdf.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (snort3-browser-ie.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules) * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (snort3-file-pdf.rules) * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (server-other.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (os-windows.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (server-mysql.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (indicator-compromise.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (malware-cnc.rules) * 3:52432 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52444 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:52433 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules)
* 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (malware-cnc.rules) * 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52430 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52445 <-> ENABLED <-> MALWARE-CNC Doc.Malware.Gamaredon variant outbound connection (malware-cnc.rules) * 1:52443 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52447 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52437 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52426 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52435 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52425 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52449 <-> DISABLED <-> INDICATOR-COMPROMISE Potential phishing domain ddns.net outbound connection detected (indicator-compromise.rules) * 1:52427 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52448 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant third stage download detected (malware-other.rules) * 1:52446 <-> ENABLED <-> MALWARE-OTHER Doc.Malware.Gamaredon variant second stage download detected (malware-other.rules) * 1:52438 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52431 <-> DISABLED <-> BROWSER-FIREFOX IonMonkey MArraySlice buffer overflow attempt (browser-firefox.rules) * 1:52441 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:51649 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop Services license negotiation denial of service attempt (os-windows.rules) * 1:52422 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52421 <-> DISABLED <-> FILE-OFFICE Microsoft Windows Wordpad Converter sprmT record heap overflow attempt (file-office.rules) * 1:52439 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.PowershellAgent variant download attempt (malware-other.rules) * 1:52436 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Powerkatz variant download attempt (malware-other.rules) * 1:52440 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.LazyCat variant download attempt (malware-other.rules) * 1:52434 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WebShellAccessDB variant download attempt (malware-other.rules) * 1:52423 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB Server geometry query envelope object integer overflow attempt (server-mysql.rules) * 1:52429 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 1:52450 <-> DISABLED <-> SERVER-OTHER Squid Reverse Proxy malformed Host header buffer overflow attempt (server-other.rules) * 1:52442 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Mimikatz variant download attempt (malware-other.rules) * 1:52424 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:52428 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.DoppelPaymer variant download attempt (malware-other.rules) * 3:52432 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules) * 3:52444 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules) * 3:52433 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0970 attack attempt (os-windows.rules)
* 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:29446 <-> ENABLED <-> EXPLOIT-KIT Styx exploit kit jar outbound connection (exploit-kit.rules) * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules) * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules) * 1:48052 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:48051 <-> DISABLED <-> BROWSER-IE Multiple browsers memory corruption attempt (browser-ie.rules) * 1:51636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Amadey botnet outbound connection (malware-cnc.rules) * 3:15433 <-> ENABLED <-> FILE-OTHER Winamp MAKI parsing integer overflow attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
