Talos has added and modified multiple rules in the app-detect, browser-ie, content-replace, exploit-kit, file-flash, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, netbios, os-solaris, os-windows, policy-other, policy-social, protocol-ftp, protocol-other, protocol-scada, protocol-telnet, protocol-voip, pua-adware, pua-p2p, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules) * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules) * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules) * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules) * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
* 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules) * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules) * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules) * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules) * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules) * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules) * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules) * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules) * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules) * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules) * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules) * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules) * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules) * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules) * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules) * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules) * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules) * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules) * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules) * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules) * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules) * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules) * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules) * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules) * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules) * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules) * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules) * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules) * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules) * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules) * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules) * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules) * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules) * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules) * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules) * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules) * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules) * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules) * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules) * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules) * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules) * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules) * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules) * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules) * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules) * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules) * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules) * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules) * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules) * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules) * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules) * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules) * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules) * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules) * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules) * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules) * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules) * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules) * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules) * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules) * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules) * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules) * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules) * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules) * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules) * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules) * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules) * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules) * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules) * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules) * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules) * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules) * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules) * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules) * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules) * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules) * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules) * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules) * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules) * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules) * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules) * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules) * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules) * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules) * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules) * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules) * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules) * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules) * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules) * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules) * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules) * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules) * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules) * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules) * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules) * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules) * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules) * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules) * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules) * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules) * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules) * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules) * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules) * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules) * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules) * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules) * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules) * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules) * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules) * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection (malware-cnc.rules) * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection (malware-cnc.rules) * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules) * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules) * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules) * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules) * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules) * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
* 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules) * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules) * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules) * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules) * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules) * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules) * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules) * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules) * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules) * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules) * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules) * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules) * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules) * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules) * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules) * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules) * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules) * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules) * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules) * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules) * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules) * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules) * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules) * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules) * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules) * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules) * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules) * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules) * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules) * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules) * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules) * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules) * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules) * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules) * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules) * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules) * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules) * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules) * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules) * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules) * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules) * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules) * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules) * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules) * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules) * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules) * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules) * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules) * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules) * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules) * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules) * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules) * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules) * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules) * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules) * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules) * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules) * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules) * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules) * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules) * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules) * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules) * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules) * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules) * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules) * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules) * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules) * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules) * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules) * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules) * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules) * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules) * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules) * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules) * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules) * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules) * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules) * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules) * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules) * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules) * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules) * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules) * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules) * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules) * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules) * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules) * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules) * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules) * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules) * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules) * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules) * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules) * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules) * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules) * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules) * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules) * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules) * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules) * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules) * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules) * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules) * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules) * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules) * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules) * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules) * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules) * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection (malware-cnc.rules) * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules) * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules) * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules) * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules) * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules) * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules) * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules) * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules) * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules) * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules) * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
* 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules) * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules) * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules) * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules) * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules) * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules) * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules) * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules) * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules) * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules) * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules) * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules) * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules) * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules) * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules) * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules) * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules) * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules) * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules) * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules) * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules) * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules) * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules) * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules) * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules) * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules) * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules) * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules) * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules) * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules) * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules) * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules) * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules) * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules) * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules) * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules) * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules) * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules) * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules) * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules) * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules) * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules) * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules) * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules) * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules) * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules) * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules) * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules) * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules) * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules) * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules) * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules) * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules) * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules) * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules) * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules) * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules) * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules) * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules) * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules) * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules) * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules) * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules) * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules) * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules) * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules) * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules) * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules) * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules) * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules) * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules) * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules) * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules) * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules) * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules) * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules) * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules) * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules) * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules) * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules) * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules) * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules) * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules) * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules) * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules) * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules) * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules) * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules) * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules) * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules) * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules) * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules) * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules) * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules) * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules) * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules) * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules) * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules) * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules) * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules) * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules) * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules) * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules) * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules) * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules) * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules) * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules) * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules) * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules) * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection (malware-cnc.rules) * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules) * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules) * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules) * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules) * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules) * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules) * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules) * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules) * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules)
* 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules) * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules) * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules) * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules) * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules) * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules) * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules) * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules) * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules) * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules) * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules) * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules) * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules) * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules) * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules) * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules) * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules) * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules) * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules) * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules) * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules) * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules) * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules) * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules) * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules) * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules) * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules) * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules) * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules) * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules) * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules) * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules) * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules) * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules) * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules) * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules) * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules) * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules) * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules) * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules) * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules) * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules) * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules) * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules) * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules) * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules) * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules) * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules) * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules) * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules) * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules) * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules) * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules) * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules) * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules) * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules) * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules) * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules) * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules) * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules) * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules) * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules) * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules) * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules) * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules) * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules) * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules) * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules) * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules) * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules) * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules) * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules) * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules) * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules) * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules) * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules) * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules) * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules) * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules) * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules) * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules) * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules) * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules) * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules) * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection (malware-cnc.rules) * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules) * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules) * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules) * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules) * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules) * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules) * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules) * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules) * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules) * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules) * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules) * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules) * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules) * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules) * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules) * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules) * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules) * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules) * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules) * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules) * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules) * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules) * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules) * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules) * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules) * 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules) * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules) * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules)
* 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (protocol-other.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules) * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules) * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules) * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules) * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules) * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules) * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules) * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules) * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules) * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules) * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules) * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules) * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules) * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules) * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules) * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules) * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules) * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules) * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection (malware-cnc.rules) * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules) * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules) * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules) * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection (malware-cnc.rules) * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules) * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules) * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules) * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules) * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules) * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules) * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules) * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules) * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules) * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules) * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules) * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules) * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules) * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules) * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules) * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules) * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules) * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules) * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules) * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules) * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules) * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules) * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules) * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules) * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules) * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules) * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules) * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules) * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules) * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules) * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules) * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules) * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules) * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules) * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules) * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules) * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules) * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules) * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules) * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules) * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules) * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules) * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules) * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules) * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules) * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules) * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules) * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules) * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules) * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules) * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules) * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules) * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules) * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules) * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules) * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules) * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules) * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules) * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules) * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules) * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules) * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules) * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules) * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules) * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules) * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules) * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules) * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules) * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules) * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules) * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules) * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules) * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules) * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules) * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules) * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules) * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules) * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules) * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules) * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules) * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules) * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules) * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules) * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules) * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules) * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules) * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules) * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules) * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules) * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (snort3-malware-tools.rules) * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (snort3-malware-tools.rules) * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (snort3-indicator-compromise.rules) * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (snort3-malware-tools.rules) * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (snort3-indicator-compromise.rules) * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (snort3-malware-tools.rules) * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (snort3-malware-tools.rules) * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (snort3-malware-tools.rules)
* 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (snort3-protocol-scada.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (snort3-malware-cnc.rules) * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules) * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (snort3-malware-cnc.rules) * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules) * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (snort3-indicator-compromise.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (snort3-file-other.rules) * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules) * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (snort3-pua-p2p.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (snort3-malware-cnc.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (snort3-file-other.rules) * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (snort3-malware-cnc.rules) * 1:53214 <-> DISABLED <-> PROTOCOL-OTHER Cesanta Mongoose MQTT integer overflow attempt (snort3-protocol-other.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (snort3-indicator-compromise.rules) * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (snort3-malware-cnc.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (snort3-malware-cnc.rules) * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (snort3-protocol-other.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (snort3-file-other.rules) * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (snort3-server-other.rules) * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (snort3-malware-cnc.rules) * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules) * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (snort3-malware-cnc.rules) * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (snort3-protocol-scada.rules) * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (snort3-malware-cnc.rules) * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules) * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (snort3-file-other.rules) * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (snort3-malware-cnc.rules) * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (snort3-malware-cnc.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (snort3-file-other.rules) * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (snort3-file-flash.rules) * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (snort3-server-other.rules) * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (snort3-malware-cnc.rules) * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (snort3-malware-cnc.rules) * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (snort3-server-other.rules) * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (snort3-malware-cnc.rules) * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (snort3-malware-backdoor.rules) * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (snort3-malware-backdoor.rules) * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (snort3-server-oracle.rules) * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (snort3-server-other.rules) * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (snort3-malware-backdoor.rules) * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (snort3-protocol-voip.rules) * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (snort3-protocol-telnet.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (snort3-file-other.rules) * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (snort3-server-other.rules) * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (snort3-server-other.rules) * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (snort3-server-other.rules) * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (snort3-policy-social.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (snort3-content-replace.rules) * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (snort3-server-other.rules) * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (snort3-server-other.rules) * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (snort3-server-other.rules) * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (snort3-os-windows.rules) * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (snort3-server-other.rules) * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (snort3-malware-cnc.rules) * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (snort3-malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (snort3-browser-ie.rules) * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (snort3-malware-cnc.rules) * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (snort3-server-other.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (snort3-os-windows.rules) * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (snort3-server-other.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (snort3-os-windows.rules) * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (snort3-policy-social.rules) * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (snort3-server-mail.rules) * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (snort3-server-other.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (snort3-os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (snort3-os-windows.rules) * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (snort3-os-windows.rules) * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (snort3-malware-backdoor.rules) * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (snort3-malware-cnc.rules) * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (snort3-malware-cnc.rules) * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (snort3-malware-cnc.rules) * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (snort3-malware-cnc.rules) * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (snort3-malware-cnc.rules) * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (snort3-indicator-compromise.rules) * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (snort3-indicator-compromise.rules) * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (snort3-indicator-compromise.rules) * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (snort3-malware-cnc.rules) * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (snort3-malware-cnc.rules) * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (snort3-malware-cnc.rules) * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (snort3-malware-cnc.rules) * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (snort3-malware-cnc.rules) * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (snort3-malware-cnc.rules) * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (snort3-malware-cnc.rules) * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (snort3-malware-cnc.rules) * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (snort3-malware-cnc.rules) * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (snort3-malware-cnc.rules) * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (snort3-protocol-scada.rules) * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (snort3-malware-backdoor.rules) * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (snort3-malware-cnc.rules) * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (snort3-malware-cnc.rules) * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (snort3-malware-cnc.rules) * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (snort3-malware-cnc.rules) * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (snort3-malware-cnc.rules) * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (snort3-server-other.rules) * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (snort3-malware-other.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (snort3-malware-cnc.rules) * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (snort3-server-other.rules) * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (snort3-protocol-voip.rules) * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (snort3-malware-cnc.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (snort3-malware-cnc.rules) * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (snort3-server-other.rules) * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (snort3-malware-backdoor.rules) * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (snort3-policy-social.rules) * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (snort3-pua-p2p.rules) * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (snort3-malware-cnc.rules) * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (snort3-policy-social.rules) * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (snort3-server-other.rules) * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (snort3-indicator-compromise.rules) * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (snort3-malware-cnc.rules) * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (snort3-malware-cnc.rules) * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (snort3-malware-backdoor.rules) * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (snort3-malware-backdoor.rules) * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (snort3-malware-backdoor.rules) * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (snort3-malware-backdoor.rules) * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (snort3-malware-backdoor.rules) * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (snort3-malware-backdoor.rules) * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (snort3-malware-backdoor.rules) * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (snort3-malware-cnc.rules) * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (snort3-malware-cnc.rules) * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (snort3-malware-cnc.rules) * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules) * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (snort3-protocol-ftp.rules) * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (snort3-malware-cnc.rules) * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (snort3-malware-cnc.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (snort3-server-other.rules) * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (snort3-exploit-kit.rules) * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (snort3-malware-cnc.rules) * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (snort3-malware-cnc.rules) * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (snort3-malware-cnc.rules) * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (snort3-server-other.rules) * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (snort3-server-other.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (snort3-app-detect.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (snort3-app-detect.rules) * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (snort3-malware-cnc.rules) * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (snort3-pua-adware.rules) * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (snort3-malware-cnc.rules) * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (snort3-malware-cnc.rules) * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (snort3-malware-cnc.rules) * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (snort3-malware-cnc.rules) * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (snort3-malware-cnc.rules) * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (snort3-malware-cnc.rules) * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (snort3-malware-cnc.rules) * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (snort3-malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (snort3-malware-backdoor.rules) * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (snort3-malware-cnc.rules) * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (snort3-malware-cnc.rules) * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (snort3-malware-cnc.rules) * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (snort3-malware-cnc.rules) * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (snort3-malware-cnc.rules) * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (snort3-malware-cnc.rules) * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (snort3-malware-other.rules) * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (snort3-malware-cnc.rules) * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (snort3-malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (snort3-malware-cnc.rules) * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (snort3-malware-cnc.rules) * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (snort3-malware-cnc.rules) * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (snort3-malware-cnc.rules) * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (snort3-malware-cnc.rules) * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (snort3-server-other.rules) * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (snort3-malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (snort3-malware-other.rules) * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (snort3-malware-cnc.rules) * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (snort3-malware-cnc.rules) * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (snort3-server-other.rules) * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (snort3-server-other.rules) * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (snort3-malware-cnc.rules) * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (snort3-malware-cnc.rules) * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (snort3-malware-cnc.rules) * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (snort3-malware-cnc.rules) * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (snort3-server-mail.rules) * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (snort3-malware-cnc.rules) * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (snort3-malware-cnc.rules) * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (snort3-malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (snort3-malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (snort3-malware-cnc.rules) * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (snort3-malware-cnc.rules) * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (snort3-malware-cnc.rules) * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (snort3-malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (snort3-app-detect.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (snort3-malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (snort3-malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (snort3-malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (snort3-malware-cnc.rules) * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (snort3-malware-cnc.rules) * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (snort3-malware-cnc.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (snort3-malware-cnc.rules) * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (snort3-malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (snort3-malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (snort3-malware-cnc.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (snort3-malware-cnc.rules) * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (snort3-malware-backdoor.rules) * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (snort3-malware-cnc.rules) * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (snort3-malware-cnc.rules) * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (snort3-malware-cnc.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (snort3-file-flash.rules) * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (snort3-malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (snort3-malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (snort3-malware-cnc.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (snort3-malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (snort3-malware-cnc.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (snort3-malware-cnc.rules) * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (snort3-malware-cnc.rules) * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (snort3-malware-cnc.rules) * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (snort3-malware-cnc.rules) * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (snort3-malware-cnc.rules) * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (snort3-malware-cnc.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (snort3-malware-cnc.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (snort3-malware-cnc.rules) * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (snort3-malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (snort3-malware-cnc.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (snort3-malware-cnc.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (snort3-malware-cnc.rules) * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (snort3-malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (snort3-malware-other.rules) * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (snort3-malware-cnc.rules) * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (snort3-malware-cnc.rules) * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (snort3-malware-cnc.rules) * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (snort3-server-other.rules) * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (snort3-malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (snort3-malware-backdoor.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (snort3-malware-cnc.rules) * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (snort3-malware-cnc.rules) * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (snort3-malware-cnc.rules) * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (snort3-malware-cnc.rules) * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection (snort3-malware-cnc.rules) * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection (snort3-malware-cnc.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (snort3-malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (snort3-malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (snort3-malware-cnc.rules) * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (snort3-os-solaris.rules) * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (snort3-server-other.rules) * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (snort3-server-other.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (snort3-server-other.rules) * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (snort3-malware-cnc.rules) * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (snort3-malware-cnc.rules) * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (snort3-malware-cnc.rules) * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (snort3-malware-cnc.rules) * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (snort3-server-webapp.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (snort3-malware-cnc.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (snort3-malware-cnc.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (snort3-malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (snort3-malware-cnc.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (snort3-server-other.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (snort3-netbios.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (snort3-server-other.rules) * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (snort3-file-flash.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (snort3-file-other.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (snort3-malware-cnc.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (snort3-malware-cnc.rules) * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (snort3-malware-cnc.rules) * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (snort3-malware-backdoor.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (snort3-malware-cnc.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (snort3-malware-cnc.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (snort3-malware-cnc.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (snort3-malware-cnc.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (snort3-malware-cnc.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (snort3-malware-cnc.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (snort3-malware-cnc.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (snort3-malware-cnc.rules) * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (snort3-indicator-compromise.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53395 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53399 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 1:53400 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.Snoopy TCP connection attempt (indicator-compromise.rules) * 1:53397 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53401 <-> ENABLED <-> INDICATOR-COMPROMISE - Unix.Trojan.snoopy TCP connection attempt (indicator-compromise.rules) * 1:53394 <-> DISABLED <-> MALWARE-TOOLS Rat.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53396 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Generic variant download attempt (malware-tools.rules) * 1:53398 <-> DISABLED <-> MALWARE-TOOLS Win.Malware.Generic variant download attempt (malware-tools.rules) * 3:53388 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53391 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53385 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53390 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53387 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53389 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Registrar cross site request forgery attempt (server-webapp.rules) * 3:53384 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53386 <-> ENABLED <-> FILE-OTHER Cisco Webex Network Recording Player memory corruption attempt (file-other.rules) * 3:53392 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar AddObject request detected (policy-other.rules) * 3:53393 <-> ENABLED <-> POLICY-OTHER Cisco Prime Network Registrar EditAdmin request detected (policy-other.rules)
* 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules) * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules) * 1:23460 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection (malware-cnc.rules) * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules) * 1:21483 <-> DISABLED <-> PROTOCOL-SCADA Moxa Device Manager buffer overflow attempt (protocol-scada.rules) * 1:22048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus P2P outbound connection (malware-cnc.rules) * 1:23252 <-> DISABLED <-> MALWARE-CNC MacOS.MacKontrol variant outbound connection (malware-cnc.rules) * 1:21972 <-> DISABLED <-> MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection (malware-backdoor.rules) * 1:21227 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bulknet variant outbound connection (malware-cnc.rules) * 1:21228 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Cerberat variant outbound connection (malware-cnc.rules) * 1:21224 <-> DISABLED <-> MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection (malware-cnc.rules) * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:41532 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:21212 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection (malware-cnc.rules) * 1:41528 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41531 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules) * 1:39581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection (malware-cnc.rules) * 1:41530 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41524 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:41525 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:39583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt (malware-cnc.rules) * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules) * 1:41219 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server Fabric denial of service attempt (server-other.rules) * 1:39577 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules) * 1:41743 <-> DISABLED <-> PROTOCOL-SCADA TwinCAT PLC DOS attempt (protocol-scada.rules) * 1:39578 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection (malware-cnc.rules) * 1:38886 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bayrob variant outbound connection (malware-cnc.rules) * 1:5998 <-> ENABLED <-> PUA-P2P Skype client login startup (pua-p2p.rules) * 1:39995 <-> DISABLED <-> POLICY-SOCIAL IRC server connection (policy-social.rules) * 1:21221 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection (malware-cnc.rules) * 1:8361 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection (malware-backdoor.rules) * 1:39579 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:39576 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules) * 1:39308 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:39582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt (malware-cnc.rules) * 1:41526 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:40834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt (malware-cnc.rules) * 1:41374 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:39080 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:39574 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:41529 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:41376 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:39575 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:44944 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:41533 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:39573 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:38933 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:40991 <-> ENABLED <-> MALWARE-CNC Linux.DDoS.D93 outbound connection (malware-cnc.rules) * 1:41752 <-> DISABLED <-> PROTOCOL-SCADA PowerNet Twin Client DOS attempt (protocol-scada.rules) * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection (malware-cnc.rules) * 1:39584 <-> DISABLED <-> SERVER-OTHER EasyCafe Server remote file access attempt (server-other.rules) * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:41375 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules) * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules) * 1:20094 <-> DISABLED <-> INDICATOR-COMPROMISE IRC message on non-standard port (indicator-compromise.rules) * 1:1253 <-> DISABLED <-> PROTOCOL-TELNET bsd exploit client finishing (protocol-telnet.rules) * 1:12147 <-> DISABLED <-> MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection (malware-backdoor.rules) * 1:10442 <-> DISABLED <-> MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive (malware-backdoor.rules) * 1:11317 <-> DISABLED <-> MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection (malware-backdoor.rules) * 1:12082 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS denial of service attempt (server-oracle.rules) * 1:12359 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk data length field overflow attempt (protocol-voip.rules) * 1:1463 <-> DISABLED <-> POLICY-SOCIAL IRC message (policy-social.rules) * 1:1408 <-> DISABLED <-> SERVER-OTHER MSDTC attempt (server-other.rules) * 1:33449 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt (malware-cnc.rules) * 1:29882 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WEC variant outbound connection (malware-cnc.rules) * 1:29378 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic (malware-cnc.rules) * 1:29440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chewbacca outbound connection (malware-cnc.rules) * 1:29380 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic (malware-cnc.rules) * 1:29307 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fraxytime outbound connection (malware-cnc.rules) * 1:29389 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alusins variant outbound connection (malware-cnc.rules) * 1:29379 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration (malware-cnc.rules) * 1:29364 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt (malware-other.rules) * 1:29368 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boato variant followup outbound connection (malware-cnc.rules) * 1:29087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kboy variant outbound connection (malware-cnc.rules) * 1:29325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Horsamaz outbound connection (malware-cnc.rules) * 1:29135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bfddos variant outbound connection (malware-cnc.rules) * 1:29115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Alset variant outbound connection (malware-cnc.rules) * 1:28857 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:29295 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boda variant initial outbound connection (malware-cnc.rules) * 1:28996 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bunitu variant outbound connection (malware-cnc.rules) * 1:29055 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt (malware-backdoor.rules) * 1:28419 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesch variant outbound connection (malware-cnc.rules) * 1:28858 <-> ENABLED <-> MALWARE-CNC Adwind UNRECOM connnection back to cnc server (malware-cnc.rules) * 1:28543 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection (malware-cnc.rules) * 1:27927 <-> DISABLED <-> APP-DETECT Splashtop inbound connection negotiation attempt (app-detect.rules) * 1:28542 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Conficker variant outbound connection (malware-cnc.rules) * 1:28156 <-> DISABLED <-> PUA-ADWARE Linkury outbound time check (pua-adware.rules) * 1:28418 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection (malware-cnc.rules) * 1:27023 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:28144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection (malware-cnc.rules) * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules) * 1:27923 <-> DISABLED <-> APP-DETECT Splashtop connection negotiation attempt (app-detect.rules) * 1:26645 <-> DISABLED <-> SERVER-OTHER SSL TLS deflate compression weakness brute force attempt (server-other.rules) * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules) * 1:26966 <-> ENABLED <-> MALWARE-CNC Win32/Autorun.JN variant outbound connection (malware-cnc.rules) * 1:27022 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Netweird.A outbound connection (malware-cnc.rules) * 1:26202 <-> DISABLED <-> MALWARE-CNC VBS.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26961 <-> ENABLED <-> EXPLOIT-KIT Flim exploit kit landing page (exploit-kit.rules) * 1:26604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:26605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bydra variant outbound connection (malware-cnc.rules) * 1:25610 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection (malware-cnc.rules) * 1:25865 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:26471 <-> DISABLED <-> PROTOCOL-FTP VanDyke AbsoluteFTP LIST command stack buffer overflow attempt (protocol-ftp.rules) * 1:25867 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25530 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection (malware-cnc.rules) * 1:25549 <-> DISABLED <-> SERVER-OTHER Novell eDirectory NCP stack buffer overflow attempt (server-other.rules) * 1:25599 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gupboot variant outbound connection (malware-cnc.rules) * 1:24720 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk SCCP keypad button message denial of service attempt (protocol-voip.rules) * 1:25547 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:25026 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Juasek variant outbound connection (malware-cnc.rules) * 1:25356 <-> DISABLED <-> SERVER-OTHER Squid Gopher response processing buffer overflow attempt (server-other.rules) * 1:24010 <-> DISABLED <-> MALWARE-CNC runtime Trojan.Radil variant outbound connection (malware-cnc.rules) * 1:25025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection (malware-cnc.rules) * 1:24395 <-> DISABLED <-> MALWARE-OTHER itsoknoproblembro TCP flood (malware-other.rules) * 1:24446 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC format string exploit attempt (server-other.rules) * 1:20089 <-> DISABLED <-> INDICATOR-COMPROMISE IRC nick change on non-standard port (indicator-compromise.rules) * 1:24293 <-> DISABLED <-> SERVER-OTHER EMC NetWorker SunRPC buffer overflow attempt (server-other.rules) * 1:21220 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Susnatache.A inbound connection (malware-cnc.rules) * 1:23787 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Locotout variant outbound connection (malware-cnc.rules) * 1:19726 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Poison variant outbound connection (malware-cnc.rules) * 1:20109 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection (malware-cnc.rules) * 1:19918 <-> DISABLED <-> MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection (malware-cnc.rules) * 1:20008 <-> DISABLED <-> MALWARE-CNC Malware PDFMarca.A runtime traffic detected (malware-cnc.rules) * 1:18195 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt (os-windows.rules) * 1:19732 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Idicaf variant outbound connection (malware-cnc.rules) * 1:18950 <-> DISABLED <-> OS-WINDOWS Microsoft WINS service oversize payload exploit attempt (os-windows.rules) * 1:19484 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gh0st variant outbound connection (malware-cnc.rules) * 1:17126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB large session length with small packet (os-windows.rules) * 1:18660 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB2 write packet buffer overflow attempt (os-windows.rules) * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules) * 1:17710 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:16358 <-> DISABLED <-> MALWARE-CNC bugsprey variant outbound connection (malware-cnc.rules) * 1:1729 <-> DISABLED <-> POLICY-SOCIAL IRC channel join (policy-social.rules) * 1:16454 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 (os-windows.rules) * 1:16576 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix AgentX receive_agentx stack buffer overflow attempt (server-other.rules) * 1:16091 <-> DISABLED <-> SERVER-OTHER Macromedia Flash Media Server administration service denial of service attempt (server-other.rules) * 1:1641 <-> DISABLED <-> SERVER-OTHER DB2 dos attempt (server-other.rules) * 1:16271 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection (malware-cnc.rules) * 1:16339 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object clone deletion memory corruption attempt - obfuscated (browser-ie.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:16093 <-> ENABLED <-> MALWARE-CNC bugsprey variant inbound connection (malware-cnc.rules) * 1:15892 <-> DISABLED <-> SERVER-OTHER SAPLPD 0x53 command denial of service attempt (server-other.rules) * 1:15930 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB malformed process ID high field remote code execution attempt (os-windows.rules) * 1:12904 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup vmd shared library buffer overflow attempt (server-other.rules) * 1:1545 <-> DISABLED <-> SERVER-OTHER Cisco denial of service attempt (server-other.rules) * 1:14607 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules) * 1:33872 <-> ENABLED <-> MALWARE-CNC Win.Worm.Urahu outbound connection (malware-cnc.rules) * 1:32791 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock outbound connection (malware-cnc.rules) * 1:33306 <-> ENABLED <-> MALWARE-OTHER connection to malware sinkhole (malware-other.rules) * 1:33058 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Medusa variant inbound connection (malware-cnc.rules) * 1:33227 <-> ENABLED <-> MALWARE-CNC Win.Agent.BHHK variant outbound connection (malware-cnc.rules) * 1:32609 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant registration message (malware-cnc.rules) * 1:32792 <-> ENABLED <-> MALWARE-CNC Win.Virus.Ransomlock inbound connection (malware-cnc.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:32607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt (malware-cnc.rules) * 1:32180 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt (malware-cnc.rules) * 1:32510 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.PiltabeA outbound connection (malware-cnc.rules) * 1:32401 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Kivars outbound connection (malware-cnc.rules) * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules) * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules) * 1:32181 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt (malware-cnc.rules) * 1:32077 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RTMP ping abort message double free attempt (file-flash.rules) * 1:32121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kryptik variant outbound connection (malware-cnc.rules) * 1:31814 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent (malware-cnc.rules) * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection (malware-cnc.rules) * 1:32005 <-> ENABLED <-> MALWARE-BACKDOOR AlienSpy RAT outbound connection (malware-backdoor.rules) * 1:32009 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command (malware-cnc.rules) * 1:31718 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Critroni outbound connection (malware-cnc.rules) * 1:31925 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Jynxkit outbound connection (malware-cnc.rules) * 1:31805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dizk variant outbound connection (malware-cnc.rules) * 1:31813 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expiro outbound connection (malware-cnc.rules) * 1:31604 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client (malware-cnc.rules) * 1:31753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Elpapok outbound connection (malware-cnc.rules) * 1:31607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server (malware-cnc.rules) * 1:31706 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Korgapam outbound connection (malware-cnc.rules) * 1:31234 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant inbound connection (malware-cnc.rules) * 1:31605 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client (malware-cnc.rules) * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules) * 1:31603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client (malware-cnc.rules) * 1:30986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt (malware-cnc.rules) * 1:31235 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nuckam variant outbound connection (malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31168 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Guise outbound connection (malware-cnc.rules) * 1:30883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:30926 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection (malware-cnc.rules) * 1:30978 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rbrute inbound connection (malware-cnc.rules) * 1:30809 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:309 <-> DISABLED <-> SERVER-MAIL sniffit overflow (server-mail.rules) * 1:30811 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30812 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30810 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30808 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30525 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt (server-other.rules) * 1:30806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:30752 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tesyong outbound connection (malware-cnc.rules) * 1:30804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hulpob outbound connection (malware-cnc.rules) * 1:29918 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.Vacky system information disclosure (malware-other.rules) * 1:30566 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Elknot outbound connection (malware-cnc.rules) * 1:30484 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection (malware-cnc.rules) * 1:30524 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt (server-other.rules) * 1:29430 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Icefog variant outbound connection (malware-cnc.rules) * 1:30298 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection (malware-cnc.rules) * 1:29581 <-> DISABLED <-> SERVER-OTHER CA Brightstor SUN RPC malformed string buffer overflow attempt (server-other.rules) * 1:33289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt (malware-cnc.rules) * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules) * 1:36877 <-> DISABLED <-> NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt (netbios.rules) * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules) * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt (server-other.rules) * 1:36610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Panskeg outbound connection (malware-cnc.rules) * 1:36132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection (malware-cnc.rules) * 1:36115 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Liudoor outbound connection (malware-cnc.rules) * 1:35630 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35631 <-> DISABLED <-> SERVER-OTHER LibVNCServer rfbProcessClientNormalMessage msg.ssc.scale denial of service attempt (server-other.rules) * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection (malware-cnc.rules) * 1:3527 <-> DISABLED <-> OS-SOLARIS Oracle Solaris LPD overflow attempt (os-solaris.rules) * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:34501 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection (malware-cnc.rules) * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection (malware-cnc.rules) * 1:34934 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pheloyx outbound connection (malware-cnc.rules) * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection (malware-cnc.rules) * 1:34997 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor variant HTTP Response (malware-cnc.rules) * 1:33985 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:34847 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.ChinaZ outbound connection (malware-cnc.rules) * 1:34339 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Cybergate outbound connection (malware-cnc.rules) * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules) * 1:37317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Radamant inbound connection (malware-cnc.rules) * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules) * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules) * 1:36134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection (malware-cnc.rules) * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules) * 1:542 <-> DISABLED <-> POLICY-SOCIAL IRC nick change (policy-social.rules) * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules) * 1:21208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection (malware-cnc.rules) * 1:39309 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF file length load buffer overflow attempt (file-flash.rules) * 1:19354 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection (malware-backdoor.rules) * 1:21222 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection (malware-cnc.rules) * 1:20092 <-> DISABLED <-> INDICATOR-COMPROMISE IRC channel join on non-standard port (indicator-compromise.rules) * 1:41534 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy server method negotiation on non-standard port (indicator-compromise.rules) * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules) * 1:21177 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Ganipin.A inbound connection (malware-cnc.rules) * 1:44943 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:44946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:39580 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection (malware-cnc.rules) * 1:45104 <-> DISABLED <-> MALWARE-CNC Win.Malware.Recam variant outbound connection (malware-cnc.rules) * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules) * 1:37370 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trochulis variant outbound connection (malware-cnc.rules) * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules) * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules) * 1:44945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FallChill variant outbound connection (malware-cnc.rules) * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules) * 1:41527 <-> DISABLED <-> INDICATOR-COMPROMISE SOCKS5 proxy inbound connection on non-standard port (indicator-compromise.rules) * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules) * 1:8362 <-> DISABLED <-> MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection (malware-backdoor.rules) * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules) * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules) * 1:7789 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client (malware-backdoor.rules) * 1:7785 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection - connection with password (malware-backdoor.rules) * 1:7788 <-> DISABLED <-> MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server (malware-backdoor.rules) * 1:7631 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set (malware-backdoor.rules) * 1:7635 <-> ENABLED <-> MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set (malware-backdoor.rules) * 1:6471 <-> DISABLED <-> SERVER-OTHER RealVNC password authentication bypass attempt (server-other.rules) * 1:7103 <-> DISABLED <-> MALWARE-CNC gwboy 0.92 variant outbound connection (malware-cnc.rules) * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules) * 1:6469 <-> ENABLED <-> SERVER-OTHER RealVNC connection attempt (server-other.rules) * 1:5999 <-> DISABLED <-> PUA-P2P Skype client login (pua-p2p.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
