Talos has added and modified multiple rules in the browser-ie, browser-webkit, file-image, file-pdf, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50010 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50033 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50032 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50031 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50030 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50029 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50028 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50027 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50026 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50025 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50024 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50023 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50022 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50021 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50020 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50019 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50018 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50017 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50016 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50015 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50014 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50013 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50034 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 3:50035 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules) * 3:50036 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules) * 3:50037 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules) * 3:50038 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0831 attack attempt (server-webapp.rules) * 3:50039 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules)
* 1:49643 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:976 <-> DISABLED <-> SERVER-WEBAPP .bat? access (server-webapp.rules) * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:9791 <-> DISABLED <-> SERVER-WEBAPP .cmd? access (server-webapp.rules) * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50030 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50019 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50013 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50023 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50015 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50014 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50024 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50025 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50026 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50027 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50028 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50034 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50033 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50032 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50031 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50010 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50017 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50029 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50018 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50021 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50022 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50016 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50020 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 3:50039 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0831 attack attempt (server-webapp.rules) * 3:50038 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50036 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules) * 3:50037 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules) * 3:50035 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules)
* 1:976 <-> DISABLED <-> SERVER-WEBAPP .bat? access (server-webapp.rules) * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:9791 <-> DISABLED <-> SERVER-WEBAPP .cmd? access (server-webapp.rules) * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50030 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50023 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50010 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50013 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50034 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50031 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50033 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50032 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50019 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50017 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50015 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50014 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50024 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50029 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50025 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50026 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50027 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50028 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50018 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50021 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50022 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50016 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50020 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 3:50038 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0831 attack attempt (server-webapp.rules) * 3:50039 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50037 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules) * 3:50036 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules) * 3:50035 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules)
* 1:49643 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:976 <-> DISABLED <-> SERVER-WEBAPP .bat? access (server-webapp.rules) * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:9791 <-> DISABLED <-> SERVER-WEBAPP .cmd? access (server-webapp.rules) * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50018 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50019 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (snort3-malware-cnc.rules) * 1:50015 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50016 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50024 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50014 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50010 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (snort3-malware-cnc.rules) * 1:50013 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (snort3-malware-cnc.rules) * 1:50022 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50027 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (snort3-browser-ie.rules) * 1:50023 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50025 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50026 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (snort3-browser-ie.rules) * 1:50021 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50020 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (snort3-malware-cnc.rules) * 1:50029 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (snort3-pua-adware.rules) * 1:50012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (snort3-malware-cnc.rules) * 1:50028 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (snort3-pua-adware.rules) * 1:50011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (snort3-malware-cnc.rules) * 1:50030 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (snort3-server-webapp.rules) * 1:50031 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (snort3-server-webapp.rules) * 1:50032 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (snort3-server-webapp.rules) * 1:50033 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (snort3-browser-webkit.rules) * 1:50017 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules) * 1:50034 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (snort3-browser-webkit.rules)
* 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules) * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (snort3-server-webapp.rules) * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (snort3-server-webapp.rules) * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (snort3-server-webapp.rules) * 1:9791 <-> DISABLED <-> SERVER-WEBAPP .cmd? access (snort3-server-webapp.rules) * 1:976 <-> DISABLED <-> SERVER-WEBAPP .bat? access (snort3-server-webapp.rules) * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50027 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50032 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50026 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50031 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50030 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50010 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50033 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50028 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50034 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50029 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50024 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50015 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50016 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50017 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50014 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50013 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50025 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50018 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50019 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50020 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50021 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50022 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50023 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 3:50036 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules) * 3:50037 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules) * 3:50038 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0831 attack attempt (server-webapp.rules) * 3:50039 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50035 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules)
* 1:976 <-> DISABLED <-> SERVER-WEBAPP .bat? access (server-webapp.rules) * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:9791 <-> DISABLED <-> SERVER-WEBAPP .cmd? access (server-webapp.rules) * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50010 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50030 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50013 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules) * 1:50032 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50012 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SectorB06 malicious executable download attempt (malware-cnc.rules) * 1:50017 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50016 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50034 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50014 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50023 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50015 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50024 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50022 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50018 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50020 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50021 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50029 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 1:50019 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50031 <-> DISABLED <-> SERVER-WEBAPP Dojo Toolkit SDK cross site scripting attempt (server-webapp.rules) * 1:50033 <-> DISABLED <-> BROWSER-WEBKIT Apple WebKit updateReferencedText use-after-free attempt (browser-webkit.rules) * 1:50025 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules) * 1:50026 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50027 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer window scroll integer overflow attempt (browser-ie.rules) * 1:50028 <-> DISABLED <-> PUA-ADWARE Osx.Adware.TotalAdviseSearch variant download attempt (pua-adware.rules) * 3:50036 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules) * 3:50035 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0821 attack attempt (file-image.rules) * 3:50038 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50039 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0819 attack attempt (file-pdf.rules) * 3:50040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0831 attack attempt (server-webapp.rules) * 3:50037 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules)
* 1:49642 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Multiple PACS Server directory traversal attempt (server-webapp.rules) * 1:976 <-> DISABLED <-> SERVER-WEBAPP .bat? access (server-webapp.rules) * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 1:9791 <-> DISABLED <-> SERVER-WEBAPP .cmd? access (server-webapp.rules) * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules) * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules) * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
