Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40270 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40260 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt (malware-cnc.rules) * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40263 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40264 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40265 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40266 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40267 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40268 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40271 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40269 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40272 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40273 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40274 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40256 <-> DISABLED <-> SERVER-WEBAPP Idera Up.Time Monitoring Station post2file.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules) * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40254 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules) * 1:40253 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules) * 3:40275 <-> ENABLED <-> SERVER-WEBAPP Cisco ESA internal testing interface access attempt (server-webapp.rules) * 3:40257 <-> ENABLED <-> SERVER-WEBAPP Cisco Cloud Services Platform dnslookup command injection attempt (server-webapp.rules)
* 1:38070 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:38098 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38099 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules) * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules) * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules) * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules) * 1:36962 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules) * 1:36963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules) * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules) * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules) * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules) * 1:36463 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1332 buffer overflow attempt (server-other.rules) * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules) * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules) * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules) * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules) * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36057 <-> DISABLED <-> SERVER-WEBAPP Apache ActiveMQ directory traversal attempt (server-webapp.rules) * 1:28955 <-> DISABLED <-> SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt (server-other.rules) * 1:20864 <-> DISABLED <-> SERVER-WEBAPP Jive Software Openfire group-summary.jsp XSS attempt (server-webapp.rules) * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules) * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules) * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules) * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules) * 1:39567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules) * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules) * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules) * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules) * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:38086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules) * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules) * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules) * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules) * 1:38069 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules) * 1:38067 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 compatibility mode enable attempt (browser-ie.rules) * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules) * 1:38085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules) * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:38068 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules) * 1:40256 <-> DISABLED <-> SERVER-WEBAPP Idera Up.Time Monitoring Station post2file.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40260 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt (malware-cnc.rules) * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40263 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40264 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40265 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40266 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40267 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40268 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40269 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40270 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40271 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40272 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40273 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40274 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40254 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules) * 1:40253 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules) * 3:40257 <-> ENABLED <-> SERVER-WEBAPP Cisco Cloud Services Platform dnslookup command injection attempt (server-webapp.rules) * 3:40275 <-> ENABLED <-> SERVER-WEBAPP Cisco ESA internal testing interface access attempt (server-webapp.rules)
* 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 compatibility mode enable attempt (browser-ie.rules) * 1:38069 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules) * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules) * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules) * 1:20864 <-> DISABLED <-> SERVER-WEBAPP Jive Software Openfire group-summary.jsp XSS attempt (server-webapp.rules) * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules) * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules) * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:36057 <-> DISABLED <-> SERVER-WEBAPP Apache ActiveMQ directory traversal attempt (server-webapp.rules) * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules) * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules) * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules) * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules) * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules) * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules) * 1:36463 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1332 buffer overflow attempt (server-other.rules) * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules) * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:36962 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules) * 1:36963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules) * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules) * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules) * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules) * 1:38070 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:38086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules) * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules) * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules) * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules) * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:39567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules) * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules) * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:38099 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules) * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38067 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:38068 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:38098 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules) * 1:38085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules) * 1:28955 <-> DISABLED <-> SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt (server-other.rules) * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules) * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:40274 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40273 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40272 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40271 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40270 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40269 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40268 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40267 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40266 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40265 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40264 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40263 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected (malware-cnc.rules) * 1:40262 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40261 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40260 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt (malware-cnc.rules) * 1:40259 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40258 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected (malware-cnc.rules) * 1:40256 <-> DISABLED <-> SERVER-WEBAPP Idera Up.Time Monitoring Station post2file.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:40255 <-> DISABLED <-> SERVER-WEBAPP FreePBX Music Module ajax.php command injection attempt (server-webapp.rules) * 1:40254 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules) * 1:40253 <-> DISABLED <-> SERVER-MYSQL Multiple SQL products privilege escalation attempt (server-mysql.rules) * 3:40257 <-> ENABLED <-> SERVER-WEBAPP Cisco Cloud Services Platform dnslookup command injection attempt (server-webapp.rules) * 3:40275 <-> ENABLED <-> SERVER-WEBAPP Cisco ESA internal testing interface access attempt (server-webapp.rules)
* 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:39840 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules) * 1:39839 <-> ENABLED <-> BROWSER-IE Microsoft Windows Internet Explorer MSHTML.dll type confusion attempt (browser-ie.rules) * 1:39567 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:38894 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server insecure deserialization command execution attempt (server-webapp.rules) * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules) * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules) * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules) * 1:38541 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules) * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules) * 1:38099 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules) * 1:38098 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules) * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules) * 1:38086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules) * 1:38070 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:38069 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:38068 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:38067 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules) * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules) * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules) * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules) * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules) * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules) * 1:37527 <-> DISABLED <-> SERVER-OTHER IBM WebSphere InvokerTransformer serialized Java object remote code execution attempt (server-other.rules) * 1:37503 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ shutdown command denial of service attempt (server-other.rules) * 1:37363 <-> DISABLED <-> SERVER-OTHER Java Library SpringFramework unauthorized serialized object attempt (server-other.rules) * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules) * 1:37268 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:37267 <-> ENABLED <-> BROWSER-PLUGINS Microsoft Silverlight GetChar out of bounds read attempt (browser-plugins.rules) * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules) * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules) * 1:36963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules) * 1:36962 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttribute to CStyleAttrArray type confusion attempt (browser-ie.rules) * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules) * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules) * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules) * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules) * 1:36463 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1332 buffer overflow attempt (server-other.rules) * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules) * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules) * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules) * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules) * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules) * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules) * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules) * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules) * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules) * 1:36057 <-> DISABLED <-> SERVER-WEBAPP Apache ActiveMQ directory traversal attempt (server-webapp.rules) * 1:35508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:35507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules) * 1:35504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules) * 1:35503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word incomplete ActiveX control use-after-free attempt (file-office.rules) * 1:35425 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:20864 <-> DISABLED <-> SERVER-WEBAPP Jive Software Openfire group-summary.jsp XSS attempt (server-webapp.rules) * 1:35424 <-> DISABLED <-> SERVER-OTHER ISC BIND TKEY Query denial of service attempt (server-other.rules) * 1:34416 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 compatibility mode enable attempt (browser-ie.rules) * 1:33817 <-> DISABLED <-> SERVER-OTHER Lighttpd Host header directory traversal attempt (server-other.rules) * 1:28955 <-> DISABLED <-> SERVER-OTHER Squid HTTP Host header port parameter denial of service attempt (server-other.rules) * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules) * 1:26850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE5 compatibility mode enable attempt (browser-ie.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
