Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, deleted, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49923 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49922 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49921 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49920 <-> DISABLED <-> SERVER-WEBAPP generic cross site scripting via url attempt (server-webapp.rules) * 1:49919 <-> DISABLED <-> SERVER-WEBAPP generic session fixation attempt (server-webapp.rules) * 1:49918 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49917 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49916 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader update request (malware-cnc.rules) * 1:49915 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49914 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49913 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader file download request (malware-cnc.rules) * 1:49905 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49904 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49903 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49902 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49901 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49900 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS driver stack buffer overflow attempt (browser-plugins.rules) * 1:30700 <-> DISABLED <-> DELETED PSEKoQnSC3lM54tb0njF (deleted.rules) * 1:30581 <-> DISABLED <-> DELETED lCE9AFxy45YWUJ4i25c0 (deleted.rules) * 1:49938 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49937 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49936 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49935 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49932 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49931 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49930 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49929 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49928 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTML5 ping DDoS attempt (server-webapp.rules) * 1:49927 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS Point of Sale Driver stack buffer overflow attempt (browser-plugins.rules) * 1:49926 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49925 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49924 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 3:49906 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49907 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49908 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49909 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49910 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49911 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49912 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0811 attack attempt (protocol-other.rules)
* 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules) * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Multiple products invalid HTTP request attempt (server-webapp.rules) * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49902 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:30581 <-> DISABLED <-> DELETED lCE9AFxy45YWUJ4i25c0 (deleted.rules) * 1:49924 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49904 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49900 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS driver stack buffer overflow attempt (browser-plugins.rules) * 1:49905 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49922 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49913 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader file download request (malware-cnc.rules) * 1:30700 <-> DISABLED <-> DELETED PSEKoQnSC3lM54tb0njF (deleted.rules) * 1:49921 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49931 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49932 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49935 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49918 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49936 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49914 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49937 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49938 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49919 <-> DISABLED <-> SERVER-WEBAPP generic session fixation attempt (server-webapp.rules) * 1:49929 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49930 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49927 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS Point of Sale Driver stack buffer overflow attempt (browser-plugins.rules) * 1:49928 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTML5 ping DDoS attempt (server-webapp.rules) * 1:49925 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49926 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49923 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49920 <-> DISABLED <-> SERVER-WEBAPP generic cross site scripting via url attempt (server-webapp.rules) * 1:49917 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49915 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49916 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader update request (malware-cnc.rules) * 1:49903 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49901 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 3:49906 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49907 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49908 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49909 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49910 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49911 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49912 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0811 attack attempt (protocol-other.rules)
* 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules) * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Multiple products invalid HTTP request attempt (server-webapp.rules) * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49900 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS driver stack buffer overflow attempt (browser-plugins.rules) * 1:49914 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49936 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49935 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49918 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49902 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49901 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49938 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49937 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:30581 <-> DISABLED <-> DELETED lCE9AFxy45YWUJ4i25c0 (deleted.rules) * 1:49913 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader file download request (malware-cnc.rules) * 1:49905 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:30700 <-> DISABLED <-> DELETED PSEKoQnSC3lM54tb0njF (deleted.rules) * 1:49921 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49922 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49924 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49904 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49931 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49932 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49930 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49919 <-> DISABLED <-> SERVER-WEBAPP generic session fixation attempt (server-webapp.rules) * 1:49928 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTML5 ping DDoS attempt (server-webapp.rules) * 1:49929 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49926 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49927 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS Point of Sale Driver stack buffer overflow attempt (browser-plugins.rules) * 1:49925 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49923 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49920 <-> DISABLED <-> SERVER-WEBAPP generic cross site scripting via url attempt (server-webapp.rules) * 1:49916 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader update request (malware-cnc.rules) * 1:49917 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49903 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49915 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 3:49906 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49907 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49908 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49909 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49910 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49911 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49912 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0811 attack attempt (protocol-other.rules)
* 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules) * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Multiple products invalid HTTP request attempt (server-webapp.rules) * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49937 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (snort3-server-webapp.rules) * 1:30700 <-> DISABLED <-> DELETED PSEKoQnSC3lM54tb0njF (snort3-deleted.rules) * 1:49901 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (snort3-browser-plugins.rules) * 1:49905 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (snort3-browser-plugins.rules) * 1:49923 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (snort3-server-webapp.rules) * 1:49928 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTML5 ping DDoS attempt (snort3-server-webapp.rules) * 1:49934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (snort3-malware-other.rules) * 1:49913 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader file download request (snort3-malware-cnc.rules) * 1:49919 <-> DISABLED <-> SERVER-WEBAPP generic session fixation attempt (snort3-server-webapp.rules) * 1:49920 <-> DISABLED <-> SERVER-WEBAPP generic cross site scripting via url attempt (snort3-server-webapp.rules) * 1:49921 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (snort3-server-webapp.rules) * 1:49926 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (snort3-server-webapp.rules) * 1:49927 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS Point of Sale Driver stack buffer overflow attempt (snort3-browser-plugins.rules) * 1:49935 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (snort3-malware-other.rules) * 1:49904 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (snort3-browser-plugins.rules) * 1:49924 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (snort3-server-webapp.rules) * 1:49930 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49932 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49929 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (snort3-malware-other.rules) * 1:49931 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (snort3-browser-plugins.rules) * 1:49900 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS driver stack buffer overflow attempt (snort3-browser-plugins.rules) * 1:49938 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (snort3-server-webapp.rules) * 1:49915 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (snort3-malware-cnc.rules) * 1:49917 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (snort3-browser-firefox.rules) * 1:49922 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (snort3-server-webapp.rules) * 1:49914 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (snort3-malware-cnc.rules) * 1:49916 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader update request (snort3-malware-cnc.rules) * 1:49918 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (snort3-browser-firefox.rules) * 1:30581 <-> DISABLED <-> DELETED lCE9AFxy45YWUJ4i25c0 (snort3-deleted.rules) * 1:49903 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (snort3-browser-plugins.rules) * 1:49902 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (snort3-browser-plugins.rules) * 1:49925 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (snort3-server-webapp.rules) * 1:49936 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (snort3-malware-other.rules)
* 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (snort3-browser-ie.rules) * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (snort3-browser-ie.rules) * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (snort3-browser-plugins.rules) * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (snort3-server-webapp.rules) * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (snort3-browser-ie.rules) * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (snort3-server-webapp.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (snort3-browser-ie.rules) * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (snort3-browser-ie.rules) * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (snort3-browser-ie.rules) * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Multiple products invalid HTTP request attempt (snort3-server-webapp.rules) * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (snort3-browser-ie.rules) * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (snort3-browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49900 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS driver stack buffer overflow attempt (browser-plugins.rules) * 1:49905 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49913 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader file download request (malware-cnc.rules) * 1:49937 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49916 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader update request (malware-cnc.rules) * 1:30581 <-> DISABLED <-> DELETED lCE9AFxy45YWUJ4i25c0 (deleted.rules) * 1:49914 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49903 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49921 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49923 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49904 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49935 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49936 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49928 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTML5 ping DDoS attempt (server-webapp.rules) * 1:49925 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49931 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49930 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49902 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49929 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49932 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49938 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49926 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:30700 <-> DISABLED <-> DELETED PSEKoQnSC3lM54tb0njF (deleted.rules) * 1:49922 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49924 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49919 <-> DISABLED <-> SERVER-WEBAPP generic session fixation attempt (server-webapp.rules) * 1:49920 <-> DISABLED <-> SERVER-WEBAPP generic cross site scripting via url attempt (server-webapp.rules) * 1:49915 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49918 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49927 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS Point of Sale Driver stack buffer overflow attempt (browser-plugins.rules) * 1:49917 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49901 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 3:49906 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49907 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49908 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49909 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49910 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49911 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49912 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0811 attack attempt (protocol-other.rules)
* 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules) * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Multiple products invalid HTTP request attempt (server-webapp.rules) * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:49922 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49924 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49934 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 1:49935 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:30700 <-> DISABLED <-> DELETED PSEKoQnSC3lM54tb0njF (deleted.rules) * 1:49938 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49901 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:30581 <-> DISABLED <-> DELETED lCE9AFxy45YWUJ4i25c0 (deleted.rules) * 1:49914 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49936 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt (malware-other.rules) * 1:49920 <-> DISABLED <-> SERVER-WEBAPP generic cross site scripting via url attempt (server-webapp.rules) * 1:49913 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader file download request (malware-cnc.rules) * 1:49917 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49916 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader update request (malware-cnc.rules) * 1:49915 <-> ENABLED <-> MALWARE-CNC Win.Downloader.JasperLoader outbound connection (malware-cnc.rules) * 1:49918 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength appendItem use after free attempt (browser-firefox.rules) * 1:49902 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49905 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49900 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS driver stack buffer overflow attempt (browser-plugins.rules) * 1:49923 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49903 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS ToneIndicator stack buffer overflow attempt (browser-plugins.rules) * 1:49921 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:49904 <-> DISABLED <-> BROWSER-PLUGINS Tom Sawyer GET extension ActiveX function call access attempt (browser-plugins.rules) * 1:49930 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49926 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49919 <-> DISABLED <-> SERVER-WEBAPP generic session fixation attempt (server-webapp.rules) * 1:49928 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTML5 ping DDoS attempt (server-webapp.rules) * 1:49929 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49927 <-> DISABLED <-> BROWSER-PLUGINS HP OPOS Point of Sale Driver stack buffer overflow attempt (browser-plugins.rules) * 1:49925 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules) * 1:49937 <-> DISABLED <-> SERVER-WEBAPP Tenda Wireless N150 Router cross-site request forgery attempt (server-webapp.rules) * 1:49931 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49932 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer MSXML .definition ActiveX clsid access attempt (browser-plugins.rules) * 1:49933 <-> ENABLED <-> MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt (malware-other.rules) * 3:49906 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49907 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0814 attack attempt (file-pdf.rules) * 3:49908 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49909 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0815 attack attempt (file-pdf.rules) * 3:49910 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49911 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0816 attack attempt (file-pdf.rules) * 3:49912 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0811 attack attempt (protocol-other.rules)
* 1:40880 <-> DISABLED <-> SERVER-WEBAPP Multiple products invalid HTTP request attempt (server-webapp.rules) * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules) * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules) * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules) * 1:34948 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest command injection attempt (server-webapp.rules) * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules) * 1:34949 <-> DISABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center tsmRequest command injection attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
