Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-windows, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
* 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)
* 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)
* 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)
* 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
* 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules) * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (snort3-browser-firefox.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (snort3-browser-firefox.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (snort3-server-other.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (snort3-protocol-scada.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (snort3-indicator-compromise.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (snort3-indicator-compromise.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (snort3-browser-ie.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (snort3-server-other.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (snort3-malware-cnc.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (snort3-malware-other.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (snort3-malware-other.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (snort3-server-webapp.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules) * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (snort3-server-apache.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
* 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (snort3-server-other.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (snort3-file-pdf.rules) * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (snort3-malware-backdoor.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (snort3-server-other.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (snort3-browser-firefox.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (snort3-browser-firefox.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (snort3-file-pdf.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (snort3-malware-backdoor.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules) * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (snort3-malware-backdoor.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (snort3-browser-other.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (snort3-browser-other.rules) * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (snort3-browser-ie.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (snort3-browser-ie.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (snort3-server-other.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (snort3-malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
* 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules) * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules) * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules) * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules) * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules) * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules) * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules) * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules) * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules) * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules) * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules) * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules) * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules) * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
* 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules) * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules) * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules) * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules) * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules) * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules) * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules) * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules) * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules) * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules) * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules) * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules) * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
