Talos has added and modified multiple rules in the browser-chrome, malware-cnc, malware-other, policy-other, protocol-dns, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules) * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules) * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules) * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules) * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules) * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules) * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules) * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules) * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules) * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules) * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules) * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules) * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules) * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules) * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules) * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules) * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules) * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules) * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules) * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules) * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules) * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules) * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules) * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules) * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules) * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules) * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules) * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules) * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules) * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules) * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (snort3-server-webapp.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (snort3-malware-cnc.rules) * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (snort3-malware-other.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (snort3-server-other.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (snort3-server-webapp.rules) * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (snort3-server-webapp.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (snort3-malware-other.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (snort3-browser-chrome.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (snort3-server-webapp.rules) * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (snort3-malware-other.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (snort3-malware-other.rules) * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (snort3-server-webapp.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (snort3-malware-other.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (snort3-browser-chrome.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (snort3-malware-cnc.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (snort3-server-webapp.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (snort3-server-webapp.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (snort3-malware-other.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules) * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules) * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules) * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules) * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules) * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules) * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules) * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules) * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules) * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules) * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules) * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules) * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules) * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules) * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules) * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules) * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)
* 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
