Talos has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-executable, file-flash, file-image, file-other, file-pdf, indicator-shellcode and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41293 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41294 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41292 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 PassiveX stage (indicator-shellcode.rules) * 1:41291 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 EMET disable (indicator-shellcode.rules) * 1:41305 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41229 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell (indicator-shellcode.rules) * 1:41230 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell toupper (indicator-shellcode.rules) * 1:38325 <-> ENABLED <-> DELETED a692bcbd-da6a-4950-9f36-e1cdd8918175 (deleted.rules) * 1:38326 <-> ENABLED <-> DELETED c0bdc889-edb1-4feb-9347-0f1b75d18b4b (deleted.rules) * 1:41226 <-> DISABLED <-> INDICATOR-SHELLCODE AIX /bin/sh (indicator-shellcode.rules) * 1:41320 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules) * 1:41314 <-> DISABLED <-> EXPLOIT-KIT Rig exploit kit landing page detected (exploit-kit.rules) * 1:41315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41290 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 download execute (indicator-shellcode.rules) * 1:41288 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 reverse connect shell (indicator-shellcode.rules) * 1:41289 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 add user (indicator-shellcode.rules) * 1:41286 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 bind shell (indicator-shellcode.rules) * 1:41287 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 FindSock shell (indicator-shellcode.rules) * 1:41284 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 bind shell (indicator-shellcode.rules) * 1:41285 <-> DISABLED <-> INDICATOR-SHELLCODE SCO OpenServer x86 shell (indicator-shellcode.rules) * 1:41282 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41283 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 add user (indicator-shellcode.rules) * 1:41281 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41279 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41280 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41277 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux (indicator-shellcode.rules) * 1:41278 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix (indicator-shellcode.rules) * 1:41275 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc (indicator-shellcode.rules) * 1:41276 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc (indicator-shellcode.rules) * 1:41273 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell setuid (indicator-shellcode.rules) * 1:41274 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC Xterm execution (indicator-shellcode.rules) * 1:41271 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free (indicator-shellcode.rules) * 1:41272 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell (indicator-shellcode.rules) * 1:41270 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage (indicator-shellcode.rules) * 1:41264 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell (indicator-shellcode.rules) * 1:41262 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 execute (indicator-shellcode.rules) * 1:41263 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 FindSock shell (indicator-shellcode.rules) * 1:41260 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules) * 1:41261 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules) * 1:41258 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules) * 1:41259 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC FindSock shell (indicator-shellcode.rules) * 1:41256 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules) * 1:41257 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules) * 1:41255 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules) * 1:41253 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC read execute (indicator-shellcode.rules) * 1:41254 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC reverse connect shell (indicator-shellcode.rules) * 1:41251 <-> DISABLED <-> INDICATOR-SHELLCODE IRIX MIPS shell (indicator-shellcode.rules) * 1:41252 <-> DISABLED <-> INDICATOR-SHELLCODE Linux MIPS shell (indicator-shellcode.rules) * 1:41250 <-> DISABLED <-> INDICATOR-SHELLCODE HP-UX PA-RISC shell (indicator-shellcode.rules) * 1:41249 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules) * 1:41233 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 bind stage (indicator-shellcode.rules) * 1:41234 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 chroot (indicator-shellcode.rules) * 1:41323 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules) * 1:41322 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules) * 1:41321 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules) * 1:41235 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 execute (indicator-shellcode.rules) * 1:41227 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 bind stage (indicator-shellcode.rules) * 1:41236 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindRecv stage (indicator-shellcode.rules) * 1:41237 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindSock shell (indicator-shellcode.rules) * 1:41238 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 mail passwd (indicator-shellcode.rules) * 1:41326 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules) * 1:41239 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41240 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41241 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse stage (indicator-shellcode.rules) * 1:41243 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell (indicator-shellcode.rules) * 1:41242 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 setuid shell (indicator-shellcode.rules) * 1:41244 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules) * 1:41245 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules) * 1:41246 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 kldload (indicator-shellcode.rules) * 1:41247 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec (indicator-shellcode.rules) * 1:41248 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules) * 1:41228 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 reverse connect stage (indicator-shellcode.rules) * 1:41232 <-> DISABLED <-> INDICATOR-SHELLCODE BSD SPARC bind shell (indicator-shellcode.rules) * 1:41324 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules) * 1:41265 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC add user (indicator-shellcode.rules) * 1:41266 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC create setuid (indicator-shellcode.rules) * 1:41267 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor (indicator-shellcode.rules) * 1:41268 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reboot (indicator-shellcode.rules) * 1:41269 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse shell (indicator-shellcode.rules) * 1:41319 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules) * 1:41318 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Visbot (blacklist.rules) * 1:41231 <-> DISABLED <-> INDICATOR-SHELLCODE BSD PPC shell (indicator-shellcode.rules) * 1:41296 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41295 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41301 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41304 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41298 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41299 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41302 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41300 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41297 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41303 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41325 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules) * 3:41311 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules) * 3:41328 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules) * 3:41306 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules) * 3:41307 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules) * 3:41224 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules) * 3:41308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules) * 3:41225 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules) * 3:41310 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules) * 3:40880 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0237 attack attempt (server-webapp.rules) * 3:41313 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules) * 3:41312 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules) * 3:41309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules) * 3:41327 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)
* 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules) * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules) * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules) * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules) * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41295 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41268 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reboot (indicator-shellcode.rules) * 1:41266 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC create setuid (indicator-shellcode.rules) * 1:41267 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor (indicator-shellcode.rules) * 1:41264 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell (indicator-shellcode.rules) * 1:41265 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC add user (indicator-shellcode.rules) * 1:41244 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules) * 1:41242 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 setuid shell (indicator-shellcode.rules) * 1:41243 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell (indicator-shellcode.rules) * 1:41240 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41235 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 execute (indicator-shellcode.rules) * 1:41238 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 mail passwd (indicator-shellcode.rules) * 1:41239 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41236 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindRecv stage (indicator-shellcode.rules) * 1:41237 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindSock shell (indicator-shellcode.rules) * 1:41231 <-> DISABLED <-> INDICATOR-SHELLCODE BSD PPC shell (indicator-shellcode.rules) * 1:41226 <-> DISABLED <-> INDICATOR-SHELLCODE AIX /bin/sh (indicator-shellcode.rules) * 1:41228 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 reverse connect stage (indicator-shellcode.rules) * 1:41229 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell (indicator-shellcode.rules) * 1:41230 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell toupper (indicator-shellcode.rules) * 1:38326 <-> ENABLED <-> DELETED c0bdc889-edb1-4feb-9347-0f1b75d18b4b (deleted.rules) * 1:38325 <-> ENABLED <-> DELETED a692bcbd-da6a-4950-9f36-e1cdd8918175 (deleted.rules) * 1:41234 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 chroot (indicator-shellcode.rules) * 1:41233 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 bind stage (indicator-shellcode.rules) * 1:41241 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse stage (indicator-shellcode.rules) * 1:41245 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules) * 1:41246 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 kldload (indicator-shellcode.rules) * 1:41247 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec (indicator-shellcode.rules) * 1:41248 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules) * 1:41249 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules) * 1:41250 <-> DISABLED <-> INDICATOR-SHELLCODE HP-UX PA-RISC shell (indicator-shellcode.rules) * 1:41251 <-> DISABLED <-> INDICATOR-SHELLCODE IRIX MIPS shell (indicator-shellcode.rules) * 1:41252 <-> DISABLED <-> INDICATOR-SHELLCODE Linux MIPS shell (indicator-shellcode.rules) * 1:41253 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC read execute (indicator-shellcode.rules) * 1:41254 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC reverse connect shell (indicator-shellcode.rules) * 1:41255 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules) * 1:41256 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules) * 1:41257 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules) * 1:41258 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules) * 1:41259 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC FindSock shell (indicator-shellcode.rules) * 1:41260 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules) * 1:41261 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules) * 1:41262 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 execute (indicator-shellcode.rules) * 1:41263 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 FindSock shell (indicator-shellcode.rules) * 1:41269 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse shell (indicator-shellcode.rules) * 1:41270 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage (indicator-shellcode.rules) * 1:41271 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free (indicator-shellcode.rules) * 1:41272 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell (indicator-shellcode.rules) * 1:41273 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell setuid (indicator-shellcode.rules) * 1:41274 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC Xterm execution (indicator-shellcode.rules) * 1:41275 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc (indicator-shellcode.rules) * 1:41276 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc (indicator-shellcode.rules) * 1:41277 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux (indicator-shellcode.rules) * 1:41278 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix (indicator-shellcode.rules) * 1:41279 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41280 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41281 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41282 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41283 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 add user (indicator-shellcode.rules) * 1:41284 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 bind shell (indicator-shellcode.rules) * 1:41285 <-> DISABLED <-> INDICATOR-SHELLCODE SCO OpenServer x86 shell (indicator-shellcode.rules) * 1:41286 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 bind shell (indicator-shellcode.rules) * 1:41287 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 FindSock shell (indicator-shellcode.rules) * 1:41288 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 reverse connect shell (indicator-shellcode.rules) * 1:41289 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 add user (indicator-shellcode.rules) * 1:41290 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 download execute (indicator-shellcode.rules) * 1:41291 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 EMET disable (indicator-shellcode.rules) * 1:41292 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 PassiveX stage (indicator-shellcode.rules) * 1:41293 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41326 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules) * 1:41325 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules) * 1:41324 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules) * 1:41323 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules) * 1:41322 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules) * 1:41321 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules) * 1:41320 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules) * 1:41319 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules) * 1:41318 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Visbot (blacklist.rules) * 1:41317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41314 <-> DISABLED <-> EXPLOIT-KIT Rig exploit kit landing page detected (exploit-kit.rules) * 1:41305 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41304 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41303 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41302 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41301 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41227 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 bind stage (indicator-shellcode.rules) * 1:41232 <-> DISABLED <-> INDICATOR-SHELLCODE BSD SPARC bind shell (indicator-shellcode.rules) * 1:41300 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41298 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41299 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41297 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41294 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41296 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 3:41309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules) * 3:41312 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules) * 3:41313 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules) * 3:41310 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules) * 3:41311 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules) * 3:41308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules) * 3:41306 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules) * 3:41307 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules) * 3:41225 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules) * 3:40880 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0237 attack attempt (server-webapp.rules) * 3:41224 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules) * 3:41327 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules) * 3:41328 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)
* 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules) * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules) * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules) * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules) * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:41326 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules) * 1:41325 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA Engine use after free attempt (file-pdf.rules) * 1:41324 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules) * 1:41323 <-> DISABLED <-> FILE-PDF Adobe Reader JPEG 2000 COD marker use after free attempt (file-pdf.rules) * 1:41322 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules) * 1:41321 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro zoom caching use after free attempt (file-pdf.rules) * 1:41320 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules) * 1:41319 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader cross reference table memory corruption attempt (file-pdf.rules) * 1:41318 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Visbot (blacklist.rules) * 1:41317 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41316 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41315 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DragonOK variant outbound connection (malware-cnc.rules) * 1:41314 <-> DISABLED <-> EXPLOIT-KIT Rig exploit kit landing page detected (exploit-kit.rules) * 1:41305 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41304 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41303 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41302 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41301 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41300 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41299 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41298 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jpeg decoding heap buffer overflow attempt (file-image.rules) * 1:41297 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41296 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41295 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41294 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41293 <-> DISABLED <-> INDICATOR-SHELLCODE x86 decoder (indicator-shellcode.rules) * 1:41292 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 PassiveX stage (indicator-shellcode.rules) * 1:41291 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 EMET disable (indicator-shellcode.rules) * 1:41290 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 download execute (indicator-shellcode.rules) * 1:41289 <-> DISABLED <-> INDICATOR-SHELLCODE Windows x86 add user (indicator-shellcode.rules) * 1:41288 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 reverse connect shell (indicator-shellcode.rules) * 1:41287 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 FindSock shell (indicator-shellcode.rules) * 1:41286 <-> DISABLED <-> INDICATOR-SHELLCODE Solaris x86 bind shell (indicator-shellcode.rules) * 1:41285 <-> DISABLED <-> INDICATOR-SHELLCODE SCO OpenServer x86 shell (indicator-shellcode.rules) * 1:41284 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 bind shell (indicator-shellcode.rules) * 1:41283 <-> DISABLED <-> INDICATOR-SHELLCODE OpenBSD x86 add user (indicator-shellcode.rules) * 1:41282 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41281 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41280 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 shell (indicator-shellcode.rules) * 1:41279 <-> DISABLED <-> INDICATOR-SHELLCODE NetBSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41278 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix (indicator-shellcode.rules) * 1:41277 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - solaris/linux (indicator-shellcode.rules) * 1:41276 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc (indicator-shellcode.rules) * 1:41275 <-> DISABLED <-> INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc (indicator-shellcode.rules) * 1:41274 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC Xterm execution (indicator-shellcode.rules) * 1:41273 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell setuid (indicator-shellcode.rules) * 1:41272 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC shell (indicator-shellcode.rules) * 1:41271 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free (indicator-shellcode.rules) * 1:41270 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse stage (indicator-shellcode.rules) * 1:41269 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reverse shell (indicator-shellcode.rules) * 1:41268 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC reboot (indicator-shellcode.rules) * 1:41267 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor (indicator-shellcode.rules) * 1:41266 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC create setuid (indicator-shellcode.rules) * 1:41265 <-> DISABLED <-> INDICATOR-SHELLCODE Mac OS X PPC add user (indicator-shellcode.rules) * 1:41264 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell (indicator-shellcode.rules) * 1:41263 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 FindSock shell (indicator-shellcode.rules) * 1:41262 <-> DISABLED <-> INDICATOR-SHELLCODE Linux x86 execute (indicator-shellcode.rules) * 1:41261 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules) * 1:41260 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC reverse connect shell (indicator-shellcode.rules) * 1:41259 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC FindSock shell (indicator-shellcode.rules) * 1:41258 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules) * 1:41257 <-> DISABLED <-> INDICATOR-SHELLCODE Linux SPARC bind shell (indicator-shellcode.rules) * 1:41256 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules) * 1:41255 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC shell (indicator-shellcode.rules) * 1:41254 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC reverse connect shell (indicator-shellcode.rules) * 1:41253 <-> DISABLED <-> INDICATOR-SHELLCODE Linux PPC read execute (indicator-shellcode.rules) * 1:41252 <-> DISABLED <-> INDICATOR-SHELLCODE Linux MIPS shell (indicator-shellcode.rules) * 1:41251 <-> DISABLED <-> INDICATOR-SHELLCODE IRIX MIPS shell (indicator-shellcode.rules) * 1:41250 <-> DISABLED <-> INDICATOR-SHELLCODE HP-UX PA-RISC shell (indicator-shellcode.rules) * 1:41249 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules) * 1:41248 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell (indicator-shellcode.rules) * 1:41247 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec (indicator-shellcode.rules) * 1:41246 <-> DISABLED <-> INDICATOR-SHELLCODE freeBSD x86 kldload (indicator-shellcode.rules) * 1:41245 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules) * 1:41244 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell - evade (indicator-shellcode.rules) * 1:41243 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 shell (indicator-shellcode.rules) * 1:41242 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 setuid shell (indicator-shellcode.rules) * 1:41241 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse stage (indicator-shellcode.rules) * 1:41240 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41239 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 reverse connect shell (indicator-shellcode.rules) * 1:41238 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 mail passwd (indicator-shellcode.rules) * 1:41237 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindSock shell (indicator-shellcode.rules) * 1:41236 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 FindRecv stage (indicator-shellcode.rules) * 1:41235 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 execute (indicator-shellcode.rules) * 1:41234 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 chroot (indicator-shellcode.rules) * 1:41233 <-> DISABLED <-> INDICATOR-SHELLCODE BSD x86 bind stage (indicator-shellcode.rules) * 1:41232 <-> DISABLED <-> INDICATOR-SHELLCODE BSD SPARC bind shell (indicator-shellcode.rules) * 1:41231 <-> DISABLED <-> INDICATOR-SHELLCODE BSD PPC shell (indicator-shellcode.rules) * 1:41230 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell toupper (indicator-shellcode.rules) * 1:41229 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 shell (indicator-shellcode.rules) * 1:41228 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 reverse connect stage (indicator-shellcode.rules) * 1:41227 <-> DISABLED <-> INDICATOR-SHELLCODE BSDi x86 bind stage (indicator-shellcode.rules) * 1:41226 <-> DISABLED <-> INDICATOR-SHELLCODE AIX /bin/sh (indicator-shellcode.rules) * 1:38326 <-> ENABLED <-> DELETED c0bdc889-edb1-4feb-9347-0f1b75d18b4b (deleted.rules) * 1:38325 <-> ENABLED <-> DELETED a692bcbd-da6a-4950-9f36-e1cdd8918175 (deleted.rules) * 3:40880 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0237 attack attempt (server-webapp.rules) * 3:41224 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules) * 3:41225 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0243 attack attempt (file-pdf.rules) * 3:41306 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules) * 3:41307 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0256 attack attempt (file-executable.rules) * 3:41308 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules) * 3:41309 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0247 attack attempt (file-other.rules) * 3:41310 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules) * 3:41311 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0223 attack attempt (file-image.rules) * 3:41312 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules) * 3:41313 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2016-0246 attack attempt (file-executable.rules) * 3:41327 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules) * 3:41328 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0271 attack attempt (file-pdf.rules)
* 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:41142 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules) * 1:41181 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41155 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules) * 1:41154 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt (file-pdf.rules) * 1:41149 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41144 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41143 <-> ENABLED <-> FILE-PDF Adobe Acrobat animateSyncButton use after free attempt (file-pdf.rules) * 1:41148 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41146 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41182 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41183 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41193 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41184 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt (file-image.rules) * 1:41194 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine stack buffer overflow attempt (file-pdf.rules) * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules) * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules) * 1:41034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules) * 1:40753 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:41147 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules) * 1:41145 <-> DISABLED <-> FILE-IMAGE Adobe Reader malformed app13 marker memory corruption attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
