The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit, exploit-kit, file-flash, file-office, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules) * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules) * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules) * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules) * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules) * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules) * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules) * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules) * 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules) * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules) * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules) * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules) * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules) * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)
* 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules) * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules) * 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules) * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules) * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules) * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules) * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules) * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules) * 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules) * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules) * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules) * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules) * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules) * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules) * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)
* 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules) * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules) * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules) * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules) * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules) * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules) * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules) * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules) * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules) * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules) * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules) * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules) * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules) * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules) * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules) * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)
* 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules) * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules) * 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31496 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31495 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt (file-flash.rules) * 1:31494 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31493 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31492 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31491 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31490 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31489 <-> DISABLED <-> FILE-FLASH Adobe Flash security sandbox bypass attempt (file-flash.rules) * 1:31488 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 1:31487 <-> ENABLED <-> MALWARE-OTHER Game Over Zeus executable download detected (malware-other.rules) * 1:31486 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:31484 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31483 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31482 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31481 <-> ENABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31480 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31479 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31478 <-> DISABLED <-> SERVER-OTHER OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31477 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt (server-other.rules) * 1:31476 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31475 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31474 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31473 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel PtgName invalid index exploit attempt (file-office.rules) * 1:31472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 (blacklist.rules) * 1:31471 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31470 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31469 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules) * 1:31468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Papras variant outbound connection (malware-cnc.rules) * 1:31467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules) * 1:31466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm Click Fraud Request (malware-cnc.rules) * 1:31464 <-> ENABLED <-> BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm (blacklist.rules) * 1:31463 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm (blacklist.rules) * 1:31462 <-> DISABLED <-> FILE-OFFICE Microsoft Office Malformed MSODrawing Record attempt (file-office.rules) * 1:31461 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Malformed MSODrawing Record attempt (file-office.rules) * 1:31460 <-> DISABLED <-> SERVER-WEBAPP PHP DNS parsing heap overflow attempt (server-webapp.rules) * 1:31459 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Jaktinier.A connection attempt (malware-cnc.rules) * 1:31458 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SDBot variant outbound connection attempt (malware-cnc.rules) * 1:31457 <-> ENABLED <-> BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot (blacklist.rules) * 1:31456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot (blacklist.rules) * 1:31455 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules) * 1:31454 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31453 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection (malware-cnc.rules) * 1:31452 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection attempt (malware-cnc.rules) * 3:31451 <-> ENABLED <-> EXPLOIT Cisco Unified IP phone BVSMWeb portal attack attempt (exploit.rules)
* 1:31289 <-> ENABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules) * 1:25772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:30345 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt (browser-ie.rules) * 1:17046 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules) * 1:21513 <-> ENABLED <-> MALWARE-TOOLS HOIC http denial of service attack (malware-tools.rules) * 1:17045 <-> DISABLED <-> SERVER-OTHER CA ARCserve Backup for Laptops and Desktops LGServer handshake buffer overflow attempt (server-other.rules) * 1:23123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
