Talos has added and modified multiple rules in the file-image, file-pdf, malware-backdoor, malware-cnc, netbios, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
* 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules)
* 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
* 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules)
* 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
* 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
* 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
* 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules)
* 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (snort3-server-webapp.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules) * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (snort3-malware-cnc.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules) * 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (snort3-malware-backdoor.rules)
* 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (snort3-policy-other.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (snort3-policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57315 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57312 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57311 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 1:57317 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57319 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57320 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57299 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_rewrite external URL redirection attempt (server-webapp.rules) * 1:57316 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57321 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57318 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57314 <-> DISABLED <-> MALWARE-BACKDOOR Asp.Trojan.Hafnium web shell upload attempt (malware-backdoor.rules) * 1:57313 <-> ENABLED <-> MALWARE-CNC Html.Webshell.Hafnium inbound request attempt (malware-cnc.rules) * 3:57301 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57304 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules) * 3:57307 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57305 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57308 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57302 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1264 attack attempt (file-image.rules) * 3:57310 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1268 attack attempt (netbios.rules) * 3:57309 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1274 attack attempt (server-webapp.rules) * 3:57300 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers stack buffer overflow attempt (server-webapp.rules) * 3:57306 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2021-1272 attack attempt (server-webapp.rules) * 3:57303 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2021-1266 attack attempt (file-pdf.rules)
* 1:5708 <-> DISABLED <-> POLICY-OTHER web server file upload attempt (policy-other.rules) * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules) * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
