Talos has added and modified multiple rules in the browser-ie, file-multimedia, file-office, file-other, indicator-shellcode, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules) * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules) * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules) * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules) * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)
* 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules) * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules) * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules) * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules) * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
* 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules) * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules) * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules) * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules) * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules) * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
* 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules) * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules) * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules) * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules) * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules) * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules) * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules)
* 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules) * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules) * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules) * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules) * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules) * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)
* 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules) * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules) * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules) * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules) * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules)
* 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules) * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (snort3-malware-cnc.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (snort3-malware-other.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (snort3-malware-other.rules) * 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules) * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (snort3-malware-other.rules) * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (snort3-malware-cnc.rules) * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (snort3-malware-other.rules) * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (snort3-malware-other.rules) * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (snort3-malware-cnc.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (snort3-server-other.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (snort3-server-other.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (snort3-malware-cnc.rules)
* 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (snort3-malware-cnc.rules) * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (snort3-browser-ie.rules) * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (snort3-file-office.rules) * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (snort3-browser-ie.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (snort3-malware-cnc.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (snort3-indicator-shellcode.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54033 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54029 <-> DISABLED <-> MALWARE-CNC Win.Malware.Rifdoor outbound cnc registration attempt (malware-cnc.rules) * 1:54017 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54013 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54020 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hancitor COVID-19 subject phishing email attempt (malware-other.rules) * 1:54014 <-> ENABLED <-> MALWARE-CNC Win.Malware.Trickbot variant outbound connection (malware-cnc.rules) * 1:54032 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54015 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54023 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54018 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Dorkbot-7847299-0 download attempt (malware-other.rules) * 1:54030 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 1:54021 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Andariel outbound connection attempt (malware-cnc.rules) * 1:54016 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Bifrost-7846624-0 download attempt (malware-other.rules) * 1:54022 <-> DISABLED <-> SERVER-OTHER SaltStack authentication bypass attempt (server-other.rules) * 1:54019 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ApolloZeus Loader beaconing attempt (malware-cnc.rules) * 1:54031 <-> DISABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules) * 3:54027 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54025 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54028 <-> ENABLED <-> INDICATOR-SHELLCODE Java RMI deserialization exploit attempt (indicator-shellcode.rules) * 3:54026 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54024 <-> ENABLED <-> POLICY-OTHER Cisco Unified Contact Center Express vulnerable Java RMI class access detected (policy-other.rules) * 3:54034 <-> ENABLED <-> SERVER-OTHER Cisco Prime Network Registrar denial of service attempt (server-other.rules)
* 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 1:49989 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:49988 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer cdomuievent use after free attempt (browser-ie.rules) * 1:39685 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tinba variant outbound connection (malware-cnc.rules) * 1:46937 <-> ENABLED <-> INDICATOR-SHELLCODE ysoserial Java object deserialization exploit attempt (indicator-shellcode.rules) * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:53957 <-> ENABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection (malware-cnc.rules) * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules) * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules) * 3:31666 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules) * 3:33929 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:34369 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central command injection attempt (server-webapp.rules) * 3:31664 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:31667 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules) * 3:33928 <-> ENABLED <-> SERVER-OTHER Cisco IOS mDNS denial of service attempt (server-other.rules) * 3:31665 <-> ENABLED <-> SERVER-OTHER Cisco ASA SQLNet inspection engine denial of service attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
