Talos has added and modified multiple rules in the browser-chrome, file-office, file-other, malware-cnc, malware-other, protocol-dns, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (malware-cnc.rules) * 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (server-webapp.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (server-other.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (server-other.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (server-other.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (protocol-dns.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 3:54607 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54608 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54601 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54606 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54599 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54600 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54598 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules)
* 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (server-other.rules) * 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (server-mail.rules) * 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules) * 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (server-other.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (server-other.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (server-webapp.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (protocol-dns.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (malware-cnc.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (server-other.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 3:54608 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54600 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54607 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54606 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54601 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54598 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54599 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules)
* 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (server-mail.rules) * 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (protocol-dns.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (malware-cnc.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules) * 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (server-other.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (server-other.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (server-webapp.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (server-other.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 3:54601 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54598 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54606 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54607 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54608 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54600 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54599 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules)
* 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (server-other.rules) * 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (server-mail.rules) * 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (protocol-dns.rules) * 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (malware-cnc.rules) * 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (server-other.rules) * 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (server-webapp.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (server-other.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (server-other.rules) * 3:54607 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54606 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54601 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54598 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54599 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54608 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54600 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules)
* 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (server-other.rules) * 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (server-mail.rules) * 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (malware-cnc.rules) * 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules) * 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (protocol-dns.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (server-other.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (server-other.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (server-other.rules) * 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (server-webapp.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 3:54607 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54606 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54601 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54599 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54598 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54608 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54600 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules)
* 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (server-other.rules) * 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (server-mail.rules) * 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (server-other.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (malware-cnc.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (server-other.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (server-other.rules) * 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (protocol-dns.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (server-webapp.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 3:54600 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54598 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54599 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54601 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54606 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54608 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54607 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules)
* 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (server-mail.rules) * 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (snort3-protocol-dns.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (snort3-malware-cnc.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (snort3-malware-cnc.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (snort3-server-webapp.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (snort3-malware-cnc.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (snort3-file-office.rules) * 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (snort3-malware-other.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (snort3-file-office.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (snort3-malware-other.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (snort3-server-other.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (snort3-server-other.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (snort3-server-webapp.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (snort3-browser-chrome.rules) * 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (snort3-server-webapp.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (snort3-file-other.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (snort3-server-other.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (snort3-malware-other.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (snort3-malware-cnc.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (snort3-browser-chrome.rules) * 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (snort3-server-webapp.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (snort3-browser-chrome.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (snort3-malware-cnc.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (snort3-malware-cnc.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (snort3-server-other.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (snort3-malware-other.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (snort3-server-webapp.rules) * 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (snort3-browser-chrome.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (snort3-server-other.rules) * 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (snort3-server-webapp.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (snort3-file-other.rules)
* 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (snort3-server-mail.rules) * 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (snort3-file-other.rules) * 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (snort3-file-other.rules) * 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:54630 <-> DISABLED <-> PROTOCOL-DNS BIND DNS server TSIG denial of service attempt (protocol-dns.rules) * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules) * 1:54609 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules) * 1:54594 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54627 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54617 <-> ENABLED <-> SERVER-WEBAPP GeoVision Door Access Control hidden url access attempt (server-webapp.rules) * 1:54597 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54625 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54621 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54604 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54623 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54626 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload outbound download attempt (malware-cnc.rules) * 1:54622 <-> DISABLED <-> BROWSER-CHROME Google Chrome ReadableStream out of bounds read attempt (browser-chrome.rules) * 1:54610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54605 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Dorkbot-8975168-0 download attempt (malware-other.rules) * 1:54619 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54595 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-8992619-0 download attempt (malware-other.rules) * 1:54616 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized conference termination attempt (server-other.rules) * 1:54628 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Dridex variant payload inbound download attempt (malware-cnc.rules) * 1:54620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor stack buffer overflow attempt (file-office.rules) * 1:54618 <-> DISABLED <-> FILE-OTHER Microsoft .NET API XPS file parsing remote code execution attempt (file-other.rules) * 1:54613 <-> DISABLED <-> SERVER-OTHER Zoom client spoofed chat message attempt (server-other.rules) * 1:54624 <-> DISABLED <-> BROWSER-CHROME Google Chrome blink webaudio module use after free attempt (browser-chrome.rules) * 1:54596 <-> DISABLED <-> SERVER-WEBAPP WordPress bbPress plugin unauthenticated privilege escalation attempt (server-webapp.rules) * 1:54603 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prometei variant outbound connection (malware-cnc.rules) * 1:54602 <-> DISABLED <-> SERVER-WEBAPP Laravel Framework PendingCommand arbitrary command execution attempt (server-webapp.rules) * 1:54615 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized screen control attempt (server-other.rules) * 1:54629 <-> DISABLED <-> SERVER-WEBAPP Microsoft Windows .NET API XML unsafe deserialization attempt (server-webapp.rules) * 3:54600 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54608 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54598 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54599 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54601 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA directory traversal attempt (server-webapp.rules) * 3:54606 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules) * 3:54607 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-1126 attack attempt (server-webapp.rules)
* 1:39736 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:18768 <-> DISABLED <-> SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt (server-mail.rules) * 1:39735 <-> DISABLED <-> FILE-OTHER Multiple Products XML buffer overflow attempt (file-other.rules) * 1:15884 <-> DISABLED <-> SERVER-OTHER Multiple Products LPD 0x02 command buffer overflow attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
