Talos has added and modified multiple rules in the app-detect, exploit-kit, file-image, file-other, file-pdf, malware-backdoor, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules) * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules) * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules) * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules) * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules) * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules) * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules) * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules) * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
* 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules) * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules) * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules) * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules) * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules) * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules) * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules) * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules) * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules)
* 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules) * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules) * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules) * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (snort3-server-other.rules) * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (snort3-server-webapp.rules) * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (snort3-server-webapp.rules) * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (snort3-malware-cnc.rules) * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (snort3-malware-cnc.rules) * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (snort3-os-windows.rules) * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (snort3-server-webapp.rules) * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (snort3-file-other.rules) * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (snort3-malware-cnc.rules) * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (snort3-file-other.rules) * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (snort3-server-webapp.rules) * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (snort3-server-webapp.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (snort3-malware-cnc.rules) * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (snort3-policy-other.rules) * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (snort3-server-webapp.rules) * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (snort3-malware-cnc.rules) * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (snort3-malware-backdoor.rules) * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (snort3-os-windows.rules)
* 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (snort3-exploit-kit.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (snort3-exploit-kit.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (snort3-app-detect.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (snort3-exploit-kit.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (snort3-exploit-kit.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (snort3-file-pdf.rules) * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (snort3-exploit-kit.rules) * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (snort3-exploit-kit.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (snort3-file-pdf.rules) * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (snort3-exploit-kit.rules) * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (snort3-exploit-kit.rules) * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules) * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules) * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules) * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules) * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules) * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules) * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules) * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules)
* 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules) * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules) * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules) * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:45975 <-> ENABLED <-> MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt (malware-backdoor.rules) * 1:45974 <-> ENABLED <-> MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt (malware-cnc.rules) * 1:45973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 1:45972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chafer malicious communication attempt (malware-cnc.rules) * 1:45971 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess webvrpcs service arbitrary command execution attempt (server-other.rules) * 1:45970 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45969 <-> DISABLED <-> SERVER-WEBAPP SugarCRM cross site scripting attempt (server-webapp.rules) * 1:45996 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45995 <-> DISABLED <-> SERVER-WEBAPP CoreOS etcd service private keys listing attempt (server-webapp.rules) * 1:45990 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45989 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path element out of bounds memory access attempt (file-other.rules) * 1:45984 <-> DISABLED <-> SERVER-WEBAPP Joomla component Jimtawl 2.2.5 arbitrary PHP file upload attempt (server-webapp.rules) * 1:45983 <-> DISABLED <-> POLICY-OTHER Sandvine PacketLogic http redirection attempt (policy-other.rules) * 1:45980 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection (malware-cnc.rules) * 1:45979 <-> ENABLED <-> MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection (malware-cnc.rules) * 1:45978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt (os-windows.rules) * 1:45976 <-> ENABLED <-> SERVER-WEBAPP Pivotal Spring Data REST PATCH request remote code execution attempt (server-webapp.rules) * 3:45999 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:46000 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45987 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:46001 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules) * 3:46002 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0541 attack attempt (file-image.rules) * 3:45986 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45982 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45985 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45981 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0540 attack attempt (file-other.rules) * 3:45998 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45994 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45997 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0542 attack attempt (file-image.rules) * 3:45992 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45993 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules) * 3:45988 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0544 attack attempt (file-image.rules) * 3:45991 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0543 attack attempt (file-image.rules)
* 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules) * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules) * 1:39677 <-> DISABLED <-> EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt (exploit-kit.rules) * 1:40335 <-> DISABLED <-> APP-DETECT OpenVAS Scanner User-Agent attempt (app-detect.rules) * 1:39081 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt (exploit-kit.rules) * 1:39240 <-> DISABLED <-> EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt (exploit-kit.rules) * 1:37207 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page (exploit-kit.rules) * 1:37361 <-> DISABLED <-> EXPLOIT-KIT DarkLeech iframe injection tool detected (exploit-kit.rules) * 1:36797 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules) * 1:36492 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit gate detected (exploit-kit.rules) * 1:36535 <-> DISABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
