Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules) * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules) * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
* 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules) * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules) * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules) * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt (server-other.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules) * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules) * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules) * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules) * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules) * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules) * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
* 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules) * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt (server-other.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules) * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules) * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules) * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules) * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (snort3-malware-cnc.rules) * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules) * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (snort3-server-webapp.rules) * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules) * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (snort3-server-other.rules) * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (snort3-file-image.rules) * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (snort3-file-image.rules) * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (snort3-server-webapp.rules) * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules) * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules) * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)
* 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (snort3-browser-plugins.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (snort3-file-other.rules) * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (snort3-file-flash.rules) * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (snort3-file-other.rules) * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (snort3-protocol-ftp.rules) * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (snort3-server-webapp.rules) * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (snort3-file-flash.rules) * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (snort3-file-office.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (snort3-file-pdf.rules) * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (snort3-server-webapp.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules) * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt (snort3-server-other.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (snort3-file-flash.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (snort3-file-flash.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (snort3-server-webapp.rules) * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (snort3-browser-plugins.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (snort3-file-flash.rules) * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (snort3-file-office.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (snort3-server-webapp.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (snort3-server-webapp.rules) * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (snort3-protocol-ftp.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (snort3-server-webapp.rules) * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (snort3-server-webapp.rules) * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (snort3-server-webapp.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (snort3-file-pdf.rules) * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (snort3-server-webapp.rules) * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (snort3-server-webapp.rules) * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (snort3-server-webapp.rules) * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (snort3-server-webapp.rules) * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (snort3-server-webapp.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (snort3-server-webapp.rules) * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules) * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules) * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (snort3-file-office.rules) * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (snort3-file-office.rules) * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules) * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules) * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (snort3-indicator-compromise.rules) * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (snort3-server-webapp.rules) * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (snort3-indicator-compromise.rules) * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (snort3-file-flash.rules) * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (snort3-file-executable.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (snort3-server-webapp.rules) * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (snort3-protocol-ftp.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules) * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules) * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules)
* 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules) * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules) * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules) * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt (server-other.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules) * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules) * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules) * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules) * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules) * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules) * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
* 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules) * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules) * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules) * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules) * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules) * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules) * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules) * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules) * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules) * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules) * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules) * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules) * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules) * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules) * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules) * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules) * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules) * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules) * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules) * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules) * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules) * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt (server-other.rules) * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules) * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules) * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules) * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules) * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules) * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
