Talos has added and modified multiple rules in the browser-chrome, file-image, file-pdf, indicator-compromise, malware-other, os-windows, protocol-scada, protocol-voip, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules)
* 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules)
* 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules)
* 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules)
* 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules)
* 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules)
* 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules)
* 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules)
* 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (snort3-malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (snort3-indicator-compromise.rules) * 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (snort3-malware-other.rules) * 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (snort3-indicator-compromise.rules)
* 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (snort3-server-webapp.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (snort3-server-webapp.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (snort3-server-other.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (snort3-server-webapp.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (snort3-server-other.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (snort3-server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (snort3-server-webapp.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (snort3-os-windows.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (snort3-server-oracle.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (snort3-server-other.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (snort3-server-other.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (snort3-server-other.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (snort3-server-webapp.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (snort3-server-other.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (snort3-server-webapp.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (snort3-protocol-voip.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (snort3-server-other.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (snort3-server-other.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (snort3-server-other.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (snort3-server-webapp.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (snort3-protocol-voip.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57055 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57051 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 1:57054 <-> DISABLED <-> INDICATOR-COMPROMISE RTF objdata file download attempt (indicator-compromise.rules) * 1:57050 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Generickdz-9827137-0 download attempt (malware-other.rules) * 3:57059 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57060 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1233 attack attempt (file-pdf.rules) * 3:57058 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57056 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2021-1234 attack attempt (protocol-scada.rules) * 3:57052 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules) * 3:57057 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2021-1235 attack attempt (browser-chrome.rules) * 3:57053 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1232 attack attempt (file-image.rules)
* 1:15977 <-> DISABLED <-> SERVER-WEBAPP PHP strip_tags bypass vulnerability exploit attempt (server-webapp.rules) * 1:20372 <-> DISABLED <-> PROTOCOL-VOIP Contact header unquoted tokens in field attempt (protocol-voip.rules) * 1:20307 <-> DISABLED <-> PROTOCOL-VOIP CSeq header method mismatch attempt (protocol-voip.rules) * 1:16213 <-> DISABLED <-> SERVER-OTHER Red Hat Directory Server Accept-Language HTTP header parsing buffer overflow attempt (server-other.rules) * 1:19072 <-> DISABLED <-> SERVER-OTHER RealNetworks Helix Server NTLM authentication heap overflow attempt (server-other.rules) * 1:12685 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manger Express CAD Host buffer overflow (server-other.rules) * 1:15985 <-> DISABLED <-> OS-WINDOWS Microsoft ASP.NET canonicalization exploit attempt (os-windows.rules) * 1:17370 <-> ENABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:25276 <-> DISABLED <-> SERVER-OTHER Digium Asterisk oversized Content-Length memory corruption attempt (server-other.rules) * 1:17535 <-> DISABLED <-> SERVER-OTHER Apple CUPS Text to PostScript Filter Integer Overflow attempt (server-other.rules) * 1:4637 <-> DISABLED <-> SERVER-OTHER MailEnable HTTPMail buffer overflow attempt (server-other.rules) * 1:17534 <-> ENABLED <-> SERVER-OTHER IPP Application Content (server-other.rules) * 1:15955 <-> DISABLED <-> SERVER-ORACLE Application Server 9i Webcache file corruption attempt (server-oracle.rules) * 1:40046 <-> DISABLED <-> SERVER-OTHER PHP locale_accept_from_http out of bounds read attempt (server-other.rules) * 1:41359 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada WAP URI null byte injection attempt (server-webapp.rules) * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access attempt (server-webapp.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:15960 <-> DISABLED <-> SERVER-OTHER Novell eDirectory MS-DOS device name DoS attempt (server-other.rules) * 1:15953 <-> DISABLED <-> SERVER-WEBAPP Ipswitch IMail Calendaring arbitrary file read attempt (server-webapp.rules) * 1:17371 <-> DISABLED <-> SERVER-WEBAPP Squid authentication headers handling denial of service attempt (server-webapp.rules) * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
