Talos has created the following rules, SIDs 58955-58956, to address CVE-2021-4034, a local privilege escalation vulnerability in Polkit’s pkexec utility.
Talos has added and modified multiple rules in the browser-ie, file-executable, file-image, file-other, malware-cnc, malware-other, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules)
* 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules)
* 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules)
* 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules)
* 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules)
* 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules)
* 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules)
* 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules)
* 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules)
* 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 3:58952 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58954 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules) * 3:58947 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58948 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt (file-image.rules) * 3:58951 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt (server-other.rules) * 3:58953 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt (server-other.rules)
* 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38671 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules) * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules) * 3:38672 <-> ENABLED <-> BROWSER-IE SFVRT-1021 attack attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (snort3-malware-other.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (snort3-malware-other.rules) * 1:300059 <-> ENABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (snort3-native.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (snort3-malware-cnc.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (snort3-file-other.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (snort3-malware-cnc.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (snort3-malware-cnc.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (snort3-malware-other.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (snort3-file-other.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (snort3-malware-other.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (snort3-server-webapp.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (snort3-malware-other.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (snort3-malware-other.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (snort3-server-webapp.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (snort3-file-other.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (snort3-malware-cnc.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (snort3-malware-other.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (snort3-os-linux.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (snort3-file-other.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (snort3-os-linux.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (snort3-malware-cnc.rules) * 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (snort3-server-webapp.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (snort3-malware-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:58950 <-> DISABLED <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt (server-webapp.rules) * 1:58933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58941 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58955 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules) * 1:58932 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58946 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58939 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58937 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58945 <-> DISABLED <-> FILE-OTHER PEAR Archive Tar code deserialization attempt (file-other.rules) * 1:58949 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection (malware-cnc.rules) * 1:58930 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58942 <-> DISABLED <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt (file-other.rules) * 1:58936 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58931 <-> ENABLED <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt (malware-other.rules) * 1:58940 <-> DISABLED <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt (server-webapp.rules) * 1:58938 <-> ENABLED <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection (malware-cnc.rules) * 1:58935 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58944 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected (malware-cnc.rules) * 1:58934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt (malware-other.rules) * 1:58943 <-> DISABLED <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt (malware-cnc.rules) * 1:58929 <-> ENABLED <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt (malware-other.rules) * 1:58956 <-> ENABLED <-> OS-LINUX Polkit pkexec privilege escalation attempt (os-linux.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.
The format of the file is:
gid:sid <-> Message
* 1:300059 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58929 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58930 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58931 <-> MALWARE-OTHER Ps1.Downloader.MuddyWater payload download attempt * 1:58932 <-> MALWARE-OTHER Pdf.Downloader.MuddyWater variant download attempt * 1:58933 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58934 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58935 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58936 <-> MALWARE-OTHER Xls.Dropper.MuddyWater variant download attempt * 1:58937 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58938 <-> MALWARE-CNC Ps1.Malware.MuddyWater outbound cnc connection * 1:58939 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58940 <-> SERVER-WEBAPP Apache Superset Markdown component cross site scripting attempt * 1:58941 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58942 <-> FILE-OTHER PEAR Archive TAR symbolic link file overwrite attempt * 1:58943 <-> MALWARE-CNC Win.Malware.Emotet cnc outbound connection attempt * 1:58944 <-> MALWARE-CNC Win.Ransomware.Conti variant network share readme file detected * 1:58945 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 1:58946 <-> FILE-OTHER PEAR Archive Tar code deserialization attempt * 3:58947 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 3:58948 <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2022-1449 attack attempt * 1:58949 <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection * 1:58950 <-> SERVER-WEBAPP OneDev pre-authentication token leak attempt * 3:58951 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58952 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1451 attack attempt * 3:58953 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 3:58954 <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2022-1450 attack attempt * 1:58955 <-> OS-LINUX Polkit pkexec privilege escalation attempt * 1:58956 <-> OS-LINUX Polkit pkexec privilege escalation attempt
* 3:38671 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:38672 <-> BROWSER-IE SFVRT-1021 attack attempt * 3:40878 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt * 3:40879 <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
