Talos has added and modified multiple rules in the browser-plugins, deleted, malware-cnc, os-windows, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules) * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules) * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules) * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules) * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules) * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules) * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules) * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules) * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules) * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules) * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules) * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules) * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules)
* 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules) * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules) * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules) * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules) * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules) * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules) * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules) * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules) * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules) * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules) * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules) * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules) * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules) * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules) * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules) * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules) * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules)
* 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules) * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules) * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules) * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules) * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (snort3-pua-other.rules) * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (snort3-server-webapp.rules) * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (snort3-server-webapp.rules) * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (snort3-pua-other.rules) * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (snort3-pua-other.rules) * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (snort3-malware-cnc.rules) * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (snort3-server-webapp.rules) * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (snort3-malware-cnc.rules) * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (snort3-malware-cnc.rules) * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (snort3-malware-cnc.rules) * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (snort3-malware-cnc.rules) * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (snort3-deleted.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (snort3-malware-cnc.rules) * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (snort3-server-webapp.rules) * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (snort3-server-webapp.rules) * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (snort3-malware-cnc.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (snort3-malware-cnc.rules) * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (snort3-malware-cnc.rules) * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (snort3-malware-cnc.rules) * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (snort3-malware-cnc.rules) * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (snort3-malware-cnc.rules) * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (snort3-malware-cnc.rules) * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (snort3-malware-cnc.rules) * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (snort3-malware-cnc.rules) * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (snort3-pua-other.rules) * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (snort3-pua-other.rules)
* 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (snort3-browser-plugins.rules) * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules) * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (snort3-os-windows.rules) * 1:31870 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file download request (snort3-deleted.rules) * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (snort3-browser-plugins.rules) * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:31865 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules) * 1:31867 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules) * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules) * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (snort3-os-windows.rules) * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (snort3-malware-cnc.rules) * 1:31866 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules) * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules) * 1:31869 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file download request (snort3-deleted.rules) * 1:31868 <-> DISABLED <-> DELETED FILE-IDENTIFY JPEG file attachment detected (snort3-deleted.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (snort3-server-other.rules) * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (snort3-browser-plugins.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules) * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules) * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules) * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules) * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules) * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules) * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules) * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules) * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules) * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules) * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules) * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules) * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules)
* 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules) * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules) * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules) * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules) * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45947 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45946 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules) * 1:45945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSky variant outbound connection (malware-cnc.rules) * 1:45944 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45943 <-> DISABLED <-> MALWARE-CNC known malicious SSL certificate - Odinaff C&C (malware-cnc.rules) * 1:45968 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45967 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration (malware-cnc.rules) * 1:45966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat (malware-cnc.rules) * 1:45965 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (deleted.rules) * 1:45964 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre (malware-cnc.rules) * 1:45963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check (malware-cnc.rules) * 1:45962 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check (malware-cnc.rules) * 1:45961 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection (malware-cnc.rules) * 1:45960 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silverstar outbound connection (malware-cnc.rules) * 1:45959 <-> DISABLED <-> SERVER-WEBAPP ZEIT Next.js /_next namespace directory traversal attempt (server-webapp.rules) * 1:45958 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45957 <-> DISABLED <-> SERVER-WEBAPP HP IMC iccSelectDeviceSeries Java expression language injection attempt (server-webapp.rules) * 1:45956 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection (malware-cnc.rules) * 1:45955 <-> ENABLED <-> PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt (pua-other.rules) * 1:45954 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45953 <-> DISABLED <-> SERVER-WEBAPP HP IMC mediaForAction Java expression language injection attempt (server-webapp.rules) * 1:45952 <-> ENABLED <-> PUA-OTHER Authedmine TLS client hello attempt (pua-other.rules) * 1:45951 <-> ENABLED <-> PUA-OTHER Authedmine TLS server hello attempt (pua-other.rules) * 1:45950 <-> ENABLED <-> PUA-OTHER Coinhive TLS client hello attempt (pua-other.rules) * 1:45949 <-> ENABLED <-> PUA-OTHER Coinhive TLS server hello attempt (pua-other.rules) * 1:45948 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt (malware-cnc.rules)
* 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:18501 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine elevation of privilege attempt (os-windows.rules) * 1:20212 <-> DISABLED <-> SERVER-OTHER SSL CBC encryption mode weakness brute force attempt (server-other.rules) * 1:26784 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Nivdort variant outbound connection (malware-cnc.rules) * 1:27788 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules) * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules) * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:27793 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access (browser-plugins.rules) * 1:41365 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RtlQueryRegistryValues buffer overflow attempt (os-windows.rules) * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules) * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
