Talos has added and modified multiple rules in the malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091800.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules) * 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules) * 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 3:58061 <-> ENABLED <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected (policy-other.rules)
* 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules) * 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (snort3-malware-other.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (snort3-malware-other.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (snort3-malware-cnc.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (snort3-malware-other.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (snort3-malware-other.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (snort3-server-webapp.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (snort3-malware-cnc.rules)
* 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (snort3-malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (snort3-malware-cnc.rules) * 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (snort3-malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58051 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58057 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58060 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection (malware-cnc.rules) * 1:58052 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58049 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58050 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt (malware-other.rules) * 1:58048 <-> DISABLED <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt (malware-other.rules) * 1:58053 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58054 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58055 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58056 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58058 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules) * 1:58062 <-> DISABLED <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt (malware-cnc.rules) * 1:58059 <-> DISABLED <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt (server-webapp.rules)
* 1:24287 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection (malware-cnc.rules) * 1:23245 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection (malware-cnc.rules) * 1:21477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.
The format of the file is:
gid:sid <-> Message
* 1:58048 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58049 <-> MALWARE-OTHER Php.Webshell.CNHonker download attempt * 1:58050 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58051 <-> MALWARE-OTHER Php.Webshell.CNHonker upload attempt * 1:58052 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58053 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58054 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58055 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58056 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58057 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58058 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58059 <-> SERVER-WEBAPP Realtek Jungle SDK command injection attempt * 1:58060 <-> MALWARE-CNC Win.Downloader.Pingbed outbound connection * 3:58061 <-> POLICY-OTHER Cisco TelePresence Video Communication Server upgrade request detected * 1:58062 <-> MALWARE-CNC Unix.Backdoor.SNIcat outbound request attempt
* 1:21477 <-> MALWARE-CNC Win.Trojan.Noobot variant outbound connection * 1:23245 <-> MALWARE-CNC Win.Trojan.Downloader variant outbound connection * 1:24287 <-> MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
