The VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-identify, file-other, malware-cnc, os-mobile, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33027 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules) * 1:33004 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules) * 1:32968 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:32969 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:33017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:32999 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32994 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules) * 1:32996 <-> DISABLED <-> SERVER-OTHER HP LoadRunner stack buffer overflow attempt (server-other.rules) * 1:32993 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules) * 1:32991 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules) * 1:32992 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules) * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32984 <-> ENABLED <-> BLACKLIST DNS request for known malware domain niudoudou.com - Win.Trojan.Graftor (blacklist.rules) * 1:32986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu dll embedded in png download attempt (malware-cnc.rules) * 1:32983 <-> ENABLED <-> BLACKLIST DNS request for known malware domain it885.com.cn - Win.Trojan.Graftor (blacklist.rules) * 1:32981 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aquametron.com - Win.Trojan.Graftor (blacklist.rules) * 1:32982 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fxxx114.com - Win.Trojan.Graftor (blacklist.rules) * 1:32979 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules) * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules) * 1:32978 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules) * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules) * 1:32974 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules) * 1:32973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Twerket variant outbound connection (malware-cnc.rules) * 1:32972 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nettwerk.x10.mx - Win.Trojan.Twerket (blacklist.rules) * 1:32971 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules) * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:32970 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:33029 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33030 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33031 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33032 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33033 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33034 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33035 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33036 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33037 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:32975 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules) * 1:32980 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - multi-browser (blacklist.rules) * 1:32985 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wlkan.cn - Win.Trojan.Graftor (blacklist.rules) * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection attempt (malware-cnc.rules) * 1:32995 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Adobe Flash download (exploit-kit.rules) * 1:33000 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33001 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33002 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33003 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules) * 1:33005 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33006 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33007 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33008 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33009 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33010 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33011 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33012 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33013 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules) * 1:33014 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules) * 1:33015 <-> DISABLED <-> PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt (protocol-scada.rules) * 1:33016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:32967 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt (policy-other.rules) * 1:33026 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules) * 1:33040 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33028 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file download request (file-identify.rules) * 1:33024 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules) * 1:33025 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules) * 1:33023 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules) * 1:33022 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules)
* 1:15944 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt (os-windows.rules) * 1:23232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:23233 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:26418 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules) * 1:29585 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt (server-other.rules) * 1:29586 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules) * 1:29587 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules) * 1:29588 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt (server-other.rules) * 1:29590 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules) * 1:29591 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules) * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules) * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules) * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules) * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:32974 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules) * 1:32973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Twerket variant outbound connection (malware-cnc.rules) * 1:32972 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nettwerk.x10.mx - Win.Trojan.Twerket (blacklist.rules) * 1:32971 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules) * 1:32969 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:32968 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:32967 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt (policy-other.rules) * 1:32975 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules) * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules) * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules) * 1:32978 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules) * 1:32979 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules) * 1:32981 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aquametron.com - Win.Trojan.Graftor (blacklist.rules) * 1:32980 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - multi-browser (blacklist.rules) * 1:32982 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fxxx114.com - Win.Trojan.Graftor (blacklist.rules) * 1:32983 <-> ENABLED <-> BLACKLIST DNS request for known malware domain it885.com.cn - Win.Trojan.Graftor (blacklist.rules) * 1:32984 <-> ENABLED <-> BLACKLIST DNS request for known malware domain niudoudou.com - Win.Trojan.Graftor (blacklist.rules) * 1:32986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu dll embedded in png download attempt (malware-cnc.rules) * 1:32985 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wlkan.cn - Win.Trojan.Graftor (blacklist.rules) * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection attempt (malware-cnc.rules) * 1:32991 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules) * 1:32992 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules) * 1:32993 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules) * 1:32994 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules) * 1:32996 <-> DISABLED <-> SERVER-OTHER HP LoadRunner stack buffer overflow attempt (server-other.rules) * 1:32995 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Adobe Flash download (exploit-kit.rules) * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32999 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33000 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33001 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33002 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33003 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules) * 1:33004 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules) * 1:33005 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33006 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33007 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33008 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33009 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33010 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33011 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33012 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33013 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules) * 1:33014 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules) * 1:33015 <-> DISABLED <-> PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt (protocol-scada.rules) * 1:33016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:33017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33022 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules) * 1:33040 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33037 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33036 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33035 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33034 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33033 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33032 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33031 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33030 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33029 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:32970 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:33028 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file download request (file-identify.rules) * 1:33025 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules) * 1:33026 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules) * 1:33027 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules) * 1:33023 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules) * 1:33024 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules)
* 1:15944 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt (os-windows.rules) * 1:23232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:23233 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:26418 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules) * 1:29585 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt (server-other.rules) * 1:29586 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules) * 1:29587 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules) * 1:29588 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt (server-other.rules) * 1:29590 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules) * 1:29591 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules) * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules) * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules) * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules) * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:33040 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33039 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33038 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33037 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33036 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33035 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33034 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33033 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33032 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33031 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33030 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33029 <-> DISABLED <-> FILE-OTHER Poster Software Publish-It buffer overflow attempt (file-other.rules) * 1:33028 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file download request (file-identify.rules) * 1:33027 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules) * 1:33026 <-> ENABLED <-> FILE-IDENTIFY Publish-iT PUI file attachment detected (file-identify.rules) * 1:33025 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules) * 1:33024 <-> DISABLED <-> SERVER-WEBAPP Cisco Security Agent Management Center code execution attempt (server-webapp.rules) * 1:33023 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules) * 1:33022 <-> DISABLED <-> FILE-OTHER Apple Quicktime invalid atom length buffer overflow attempt (file-other.rules) * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX buffer overflow attempt (browser-ie.rules) * 1:33017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:33016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:33015 <-> DISABLED <-> PROTOCOL-SCADA ABB MicroSCADA wserver.exe EXECUTE remote code execution attempt (protocol-scada.rules) * 1:33014 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules) * 1:33013 <-> DISABLED <-> BROWSER-PLUGINS HP LoadRunner ActiveX clsid access attempt (browser-plugins.rules) * 1:33012 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33011 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33010 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33009 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx UserName buffer overflow attempt (server-webapp.rules) * 1:33008 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33007 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33006 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33005 <-> DISABLED <-> SERVER-WEBAPP Advantec WebAccess SCADA webvact.ocx NodeName buffer overflow attempt (server-webapp.rules) * 1:33004 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules) * 1:33003 <-> DISABLED <-> BROWSER-PLUGINS SolarWinds Orion Pepco32c ActiveX clsid access attempt (browser-plugins.rules) * 1:33002 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33001 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:33000 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:32999 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess SCADA command execution attempt (protocol-scada.rules) * 1:32998 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32997 <-> DISABLED <-> SERVER-OTHER Sophos Web Appliance arbitrary command execution attempt (server-other.rules) * 1:32996 <-> DISABLED <-> SERVER-OTHER HP LoadRunner stack buffer overflow attempt (server-other.rules) * 1:32995 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit Adobe Flash download (exploit-kit.rules) * 1:32994 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules) * 1:32993 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XMLSerializer serializeToStream use-after-free attempt (browser-firefox.rules) * 1:32992 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules) * 1:32991 <-> DISABLED <-> SERVER-OTHER SAP NetWeaver SXPG_COMMAND_EXECUTE remote command execution attempt (server-other.rules) * 1:32990 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu outbound connection attempt (malware-cnc.rules) * 1:32989 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32988 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32987 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules) * 1:32986 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Toopu dll embedded in png download attempt (malware-cnc.rules) * 1:32985 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wlkan.cn - Win.Trojan.Graftor (blacklist.rules) * 1:32984 <-> ENABLED <-> BLACKLIST DNS request for known malware domain niudoudou.com - Win.Trojan.Graftor (blacklist.rules) * 1:32983 <-> ENABLED <-> BLACKLIST DNS request for known malware domain it885.com.cn - Win.Trojan.Graftor (blacklist.rules) * 1:32982 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fxxx114.com - Win.Trojan.Graftor (blacklist.rules) * 1:32981 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aquametron.com - Win.Trojan.Graftor (blacklist.rules) * 1:32980 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - multi-browser (blacklist.rules) * 1:32979 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules) * 1:32978 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - extra IE version (blacklist.rules) * 1:32977 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules) * 1:32976 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuluos variant outbound connection attempt (malware-cnc.rules) * 1:32975 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules) * 1:32974 <-> DISABLED <-> OS-MOBILE Android ObjectInputStream privilege escalation attempt (os-mobile.rules) * 1:32973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Twerket variant outbound connection (malware-cnc.rules) * 1:32972 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nettwerk.x10.mx - Win.Trojan.Twerket (blacklist.rules) * 1:32971 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules) * 1:32970 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:32969 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:32968 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP name parameter directory traversal attempt (server-webapp.rules) * 1:32967 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central DCPlugin insecure admin account creation attempt (policy-other.rules)
* 1:15944 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Active Directory crafted LDAP request denial of service attempt (os-windows.rules) * 1:23232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:23233 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP client identifier length overflow attempt (os-windows.rules) * 1:26418 <-> DISABLED <-> SERVER-WEBAPP HP System Management iprange parameter buffer overflow attempt (server-webapp.rules) * 1:29585 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 3 buffer overflow attempt (server-other.rules) * 1:29586 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules) * 1:29587 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 6 buffer overflow attempt (server-other.rules) * 1:29588 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type 7 buffer overflow attempt (server-other.rules) * 1:29590 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules) * 1:29591 <-> ENABLED <-> SERVER-OTHER Symantec Veritas Enterprise Administrator service vxsvc type A buffer overflow attempt (server-other.rules) * 1:32384 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre (blacklist.rules) * 1:32674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Wiper variant outbound connection (malware-cnc.rules) * 1:32877 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules) * 1:32878 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request (exploit-kit.rules) * 1:32903 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules) * 1:32904 <-> DISABLED <-> FILE-OTHER Oracle Database Server XML stack buffer overflow attempt (file-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
