Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-other, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules) * 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (snort3-malware-other.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (snort3-malware-other.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (snort3-browser-firefox.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (snort3-server-webapp.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (snort3-server-webapp.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (snort3-server-webapp.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (snort3-malware-other.rules) * 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (snort3-malware-other.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (snort3-malware-other.rules) * 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (snort3-server-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (snort3-server-other.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (snort3-malware-other.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (snort3-malware-other.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (snort3-browser-firefox.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (snort3-malware-cnc.rules)
* 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (snort3-server-webapp.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (snort3-malware-cnc.rules) * 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (snort3-browser-ie.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (snort3-os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:56536 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56542 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56534 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56531 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.IcedId payload download attempt (malware-other.rules) * 1:56543 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted hostname remote code execution attempt (server-other.rules) * 1:56529 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56535 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9802270-0 download attempt (malware-other.rules) * 1:56528 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Emotet-9801895-0 download attempt (malware-other.rules) * 1:56541 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox default content process DACL sandbox escape attempt (browser-firefox.rules) * 1:56530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound communication attempt (malware-cnc.rules) * 1:56533 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56538 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 1:56544 <-> DISABLED <-> SERVER-OTHER AnyDesk Discovery Feature crafted username remote code execution attempt (server-other.rules) * 1:56532 <-> ENABLED <-> SERVER-WEBAPP Advantech WebAccess NMS directory traversal attempt (server-webapp.rules) * 1:56537 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Dexter POS variant download attempt (malware-other.rules) * 3:56539 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules) * 3:56540 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-1212 attack attempt (file-other.rules)
* 1:13980 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer http status response memory corruption vulnerability (browser-ie.rules) * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules) * 1:31669 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dexter variant outbound connection (malware-cnc.rules) * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
