Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, policy-other, protocol-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules) * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules) * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules) * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules) * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules) * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules) * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules)
* 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules) * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules) * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules) * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules) * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules) * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules) * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules) * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
* 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules) * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules) * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules) * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules) * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules) * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules) * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules) * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules) * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules) * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
* 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules) * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules) * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules) * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules) * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules) * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules) * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules) * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules) * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules)
* 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules) * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules) * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules) * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules) * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules) * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules) * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules) * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules)
* 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules) * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules) * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules) * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules) * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules) * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules) * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
* 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules) * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (snort3-malware-other.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (snort3-malware-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (snort3-malware-other.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (snort3-malware-other.rules) * 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (snort3-server-webapp.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (snort3-malware-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (snort3-malware-other.rules) * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (snort3-server-other.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (snort3-policy-other.rules) * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (snort3-malware-other.rules) * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (snort3-malware-other.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (snort3-malware-other.rules)
* 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (snort3-malware-cnc.rules) * 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54162 <-> ENABLED <-> SERVER-WEBAPP Apache Tomcat FileStore directory traversal attempt (server-webapp.rules) * 1:54154 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54151 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54150 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54156 <-> ENABLED <-> POLICY-OTHER LDAP bind success (policy-other.rules) * 1:54152 <-> ENABLED <-> MALWARE-OTHER Win.Adware.Hao123 outbound connection attempt (malware-other.rules) * 1:54146 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54153 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Turla malicious executable download attempt (malware-other.rules) * 1:54157 <-> DISABLED <-> SERVER-OTHER VMWare Directory Service authentication bypass attempt (server-other.rules) * 1:54145 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules) * 1:54147 <-> DISABLED <-> MALWARE-OTHER Win.Worm.Dorkbot-7993070-0 download attempt (malware-other.rules) * 1:54148 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 1:54149 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Vobfus-7994999-0 download attempt (malware-other.rules) * 3:54161 <-> ENABLED <-> POLICY-OTHER Cisco IOx token service access detected (policy-other.rules) * 3:54155 <-> ENABLED <-> SERVER-OTHER Cisco IOx Application Environment external VDS control message attempt (server-other.rules) * 3:53502 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53503 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:53499 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53504 <-> ENABLED <-> FILE-OTHER TAR file directory traversal attempt (file-other.rules) * 3:54163 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53501 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:54160 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54159 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKE2 invalid port denial of service attempt (server-other.rules) * 3:54158 <-> ENABLED <-> PROTOCOL-OTHER Cisco IOS XE NetFlow packet parsing denial of service attempt (protocol-other.rules) * 3:54164 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed SIP Via header denial of service attempt (protocol-voip.rules) * 3:53498 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload directory traversal attempt (server-webapp.rules) * 3:53500 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI file upload remote code execution attempt (server-webapp.rules) * 3:53497 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
* 1:53841 <-> DISABLED <-> MALWARE-CNC Win.Malware.Agent variant outbound cnc connection attempt (malware-cnc.rules) * 1:54004 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.WolfRAT variant outbound connection (malware-cnc.rules) * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules) * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
