Microsoft Vulnerability CVE-2022-30147: A coding deficiency exists in Microsoft Windows Installer that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 59967 through 59968, Snort3: GID 1, SID 300201.
Microsoft Vulnerability CVE-2022-30160: A coding deficiency exists in Microsoft Windows Advanced Local Procedure Call that may lead to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort2: GID 1, SIDs 59971 through 59972, Snort3: GID 1, SID 300202.
Talos also has added and modified multiple rules in the file-office, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2092000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 3:59879 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP ciphersuite detected (server-other.rules) * 3:59880 <-> ENABLED <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt (server-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59966 <-> ENABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (snort3-server-webapp.rules) * 1:59962 <-> ENABLED <-> SERVER-WEBAPP D-Link command injection attempt (snort3-server-webapp.rules) * 1:59969 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (snort3-file-office.rules) * 1:59960 <-> ENABLED <-> SERVER-WEBAPP D-Link command injection attempt (snort3-server-webapp.rules) * 1:59965 <-> ENABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (snort3-server-webapp.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (snort3-malware-cnc.rules) * 1:59961 <-> ENABLED <-> SERVER-WEBAPP D-Link command injection attempt (snort3-server-webapp.rules) * 1:59964 <-> ENABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (snort3-server-webapp.rules) * 1:59970 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (snort3-file-office.rules) * 1:59963 <-> ENABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (snort3-server-webapp.rules) * 1:59959 <-> ENABLED <-> SERVER-WEBAPP D-Link command injection attempt (snort3-server-webapp.rules)
* 1:59939 <-> ENABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:59957 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59959 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59962 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59970 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59965 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59960 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59956 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules) * 1:59973 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt (server-webapp.rules) * 1:59974 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication (malware-cnc.rules) * 1:59969 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules) * 1:59964 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59968 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59967 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt (os-windows.rules) * 1:59971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59961 <-> DISABLED <-> SERVER-WEBAPP D-Link command injection attempt (server-webapp.rules) * 1:59963 <-> DISABLED <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt (server-webapp.rules) * 1:59966 <-> DISABLED <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt (server-webapp.rules) * 1:59972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt (os-windows.rules) * 1:59958 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt (malware-other.rules) * 1:59955 <-> ENABLED <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt (malware-other.rules)
* 1:59939 <-> DISABLED <-> SERVER-WEBAPP Zyxel Firewall command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.
The format of the file is:
gid:sid <-> Message
* 1:300199 <-> MALWARE-OTHER Unix.Backdoor.Dnscat2 variant binary download attempt * 1:300200 <-> MALWARE-OTHER Unix.Trojan.Symbiote variant binary download attempt * 1:300201 <-> OS-WINDOWS Microsoft Windows Installer privilege escalation attempt * 1:300202 <-> OS-WINDOWS Microsoft Windows Advanced Local Procedure Call elevation of privilege attempt * 3:59880 <-> SERVER-OTHER OpenSSL SRP heap buffer overflow attempt * 1:59959 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59960 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59961 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59962 <-> SERVER-WEBAPP D-Link command injection attempt * 1:59963 <-> SERVER-WEBAPP FatPipe WARP and VPN arbitrary JSP file upload attempt * 1:59964 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59965 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59966 <-> SERVER-WEBAPP SonicWall SMA and SRA Appliances directory traversal attempt * 1:59969 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59970 <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt * 1:59973 <-> SERVER-WEBAPP SonicWall SMA 100 remote unauthenticated buffer overflow attempt * 1:59974 <-> MALWARE-CNC Unix.Backdoor.Dnscat2 variant DNS tunneling outbound communication
* 1:59939 <-> SERVER-WEBAPP Zyxel Firewall command injection attempt
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
