Talos has added and modified multiple rules in the browser-firefox, browser-ie, deleted, file-other, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52562 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52561 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52554 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Technicolor TD5130v2 TD5336 routers command injection attempt (malware-cnc.rules) * 1:52553 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52552 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52551 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52550 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52583 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52582 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52581 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52580 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52579 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52578 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52577 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52576 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52575 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52574 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52573 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52572 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52569 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:52568 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52567 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52566 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52565 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 3:52571 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52560 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52570 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52555 <-> ENABLED <-> SERVER-WEBAPP Cisco Webex Video Mesh Node command injection attempt (server-webapp.rules) * 3:52559 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules)
* 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco Webex explicit use of web plugin detected (policy-other.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52579 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52578 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52552 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52565 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52561 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52580 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52566 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52567 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52562 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52551 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52569 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:52572 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52573 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52574 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52575 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52576 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52553 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52583 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52582 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52554 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Technicolor TD5130v2 TD5336 routers command injection attempt (malware-cnc.rules) * 1:52581 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52577 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52568 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52550 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 3:52560 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52570 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52555 <-> ENABLED <-> SERVER-WEBAPP Cisco Webex Video Mesh Node command injection attempt (server-webapp.rules) * 3:52559 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52571 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules)
* 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco Webex explicit use of web plugin detected (policy-other.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52579 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52566 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52568 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52583 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52561 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52582 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52581 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52554 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Technicolor TD5130v2 TD5336 routers command injection attempt (malware-cnc.rules) * 1:52580 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52567 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52562 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52573 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52574 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52575 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52551 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52569 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:52550 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52578 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52572 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52576 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52552 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52565 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52577 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52553 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 3:52560 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52571 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52570 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52559 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52555 <-> ENABLED <-> SERVER-WEBAPP Cisco Webex Video Mesh Node command injection attempt (server-webapp.rules)
* 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco Webex explicit use of web plugin detected (policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52582 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52578 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52553 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52579 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52554 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Technicolor TD5130v2 TD5336 routers command injection attempt (malware-cnc.rules) * 1:52566 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52550 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52568 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52575 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52574 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52583 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52552 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52565 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52551 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52580 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52561 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52567 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52569 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:52577 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52573 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52562 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52576 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52572 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52581 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 3:52555 <-> ENABLED <-> SERVER-WEBAPP Cisco Webex Video Mesh Node command injection attempt (server-webapp.rules) * 3:52559 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52571 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52570 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52560 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules)
* 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco Webex explicit use of web plugin detected (policy-other.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52572 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52579 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52578 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52569 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:52580 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52561 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52551 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52568 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52567 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52553 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52582 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52581 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52554 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Technicolor TD5130v2 TD5336 routers command injection attempt (malware-cnc.rules) * 1:52563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52550 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52565 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52566 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52583 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52573 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52562 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52577 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52574 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52552 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52576 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52575 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 3:52559 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52570 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52571 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52555 <-> ENABLED <-> SERVER-WEBAPP Cisco Webex Video Mesh Node command injection attempt (server-webapp.rules) * 3:52560 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules)
* 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco Webex explicit use of web plugin detected (policy-other.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52562 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (snort3-policy-other.rules) * 1:52582 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (snort3-browser-ie.rules) * 1:52573 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52566 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (snort3-deleted.rules) * 1:52583 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (snort3-browser-ie.rules) * 1:52563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (snort3-malware-cnc.rules) * 1:52554 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Technicolor TD5130v2 TD5336 routers command injection attempt (snort3-malware-cnc.rules) * 1:52564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (snort3-malware-cnc.rules) * 1:52581 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52569 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (snort3-browser-firefox.rules) * 1:52568 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (snort3-deleted.rules) * 1:52572 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52565 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (snort3-deleted.rules) * 1:52567 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (snort3-deleted.rules) * 1:52550 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (snort3-server-webapp.rules) * 1:52553 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (snort3-server-webapp.rules) * 1:52551 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (snort3-server-webapp.rules) * 1:52579 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52575 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52577 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52580 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52578 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52576 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52552 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (snort3-server-webapp.rules) * 1:52574 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (snort3-malware-other.rules) * 1:52561 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (snort3-policy-other.rules)
* 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco Webex explicit use of web plugin detected (snort3-policy-other.rules) * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (snort3-browser-firefox.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (snort3-browser-firefox.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52569 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:52581 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52550 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52551 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52576 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52573 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52554 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Technicolor TD5130v2 TD5336 routers command injection attempt (malware-cnc.rules) * 1:52572 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52574 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52561 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52582 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52565 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52575 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52579 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52562 <-> DISABLED <-> POLICY-OTHER Yachtcontrol webserver unauthenticated remote code execution attempt (policy-other.rules) * 1:52577 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52564 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52563 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant outbound Yachtcontrol webserver unauthenticated remote code execution attempt (malware-cnc.rules) * 1:52578 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52566 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52567 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52580 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.ZeroCleare variant payload download attempt (malware-other.rules) * 1:52553 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 1:52568 <-> DISABLED <-> DELETED OS-WINDOWS Microsoft Windows hacking attempt (deleted.rules) * 1:52583 <-> DISABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules) * 1:52552 <-> DISABLED <-> SERVER-WEBAPP Technicolor TD5130v2 TD5336 routers command injection attempt (server-webapp.rules) * 3:52559 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules) * 3:52570 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52555 <-> ENABLED <-> SERVER-WEBAPP Cisco Webex Video Mesh Node command injection attempt (server-webapp.rules) * 3:52571 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0973 attack attempt (file-other.rules) * 3:52560 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS Web UI cross site request forgery attempt (server-webapp.rules)
* 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules) * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco Webex explicit use of web plugin detected (policy-other.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
