Talos has added and modified multiple rules in the malware-cnc, malware-other, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules) * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules) * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules) * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules) * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules) * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules) * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules) * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules) * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules) * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules) * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules) * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules) * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules) * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules) * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules) * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules) * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules) * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules) * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules) * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules) * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules) * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules) * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules) * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules) * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules) * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules) * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules) * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules) * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules) * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules) * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (snort3-server-webapp.rules) * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (snort3-server-webapp.rules) * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules) * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (snort3-policy-other.rules) * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (snort3-server-webapp.rules) * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules) * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (snort3-os-windows.rules) * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules) * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (snort3-server-mail.rules) * 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (snort3-server-mail.rules) * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (snort3-server-webapp.rules) * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (snort3-server-webapp.rules) * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (snort3-malware-cnc.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (snort3-malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (snort3-malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53431 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53430 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53433 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53446 <-> DISABLED <-> POLICY-OTHER FreeSWITCH default credential login detected (policy-other.rules) * 1:53429 <-> DISABLED <-> SERVER-WEBAPP rConfig authenticated remote code execution attempt (server-webapp.rules) * 1:53432 <-> DISABLED <-> SERVER-MAIL OpenSMTPD smtp_mailaddr command injection attempt (server-mail.rules) * 1:53436 <-> ENABLED <-> OS-WINDOWS Windows RDP Gateway Server denial of service attempt (os-windows.rules) * 1:53437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53434 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53439 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53435 <-> ENABLED <-> SERVER-WEBAPP Zoho ManageEngine Desktop Central directory traversal attempt (server-webapp.rules) * 1:53440 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 1:53438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Parallax variant outbound cnc connection attempt (malware-cnc.rules) * 3:53443 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1022 attack attempt (protocol-scada.rules) * 3:53442 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1021 attack attempt (protocol-scada.rules) * 3:53441 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1020 attack attempt (protocol-scada.rules) * 3:53444 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1023 attack attempt (protocol-scada.rules) * 3:53445 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1024 attack attempt (protocol-scada.rules)
* 1:33942 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules) * 1:33943 <-> ENABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
