Talos has added and modified multiple rules in the browser-ie, browser-webkit, content-replace, indicator-scan, malware-cnc, os-windows, protocol-services and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules) * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules) * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules) * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules) * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules) * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules)
* 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules) * 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules) * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules) * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules) * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules) * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules) * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules) * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules) * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules) * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules) * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules) * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules) * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules) * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules) * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules) * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules) * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules) * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules) * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules) * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules) * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules) * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules) * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules) * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules) * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules) * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules) * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules)
* 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules) * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules) * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules) * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules) * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules) * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules) * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules) * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules) * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules) * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules) * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules) * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules) * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules) * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules) * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules) * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules) * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules) * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules) * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules) * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules) * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (snort3-os-windows.rules) * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (snort3-server-other.rules) * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (snort3-browser-ie.rules) * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules) * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (snort3-indicator-scan.rules) * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (snort3-server-webapp.rules) * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (snort3-server-webapp.rules) * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (snort3-malware-cnc.rules) * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (snort3-malware-cnc.rules) * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (snort3-malware-cnc.rules) * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (snort3-server-webapp.rules) * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (snort3-malware-cnc.rules) * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (snort3-os-windows.rules) * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (snort3-malware-cnc.rules) * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (snort3-malware-cnc.rules) * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules) * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (snort3-malware-cnc.rules) * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (snort3-malware-cnc.rules) * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (snort3-malware-cnc.rules) * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (snort3-browser-webkit.rules) * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (snort3-browser-webkit.rules) * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules) * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (snort3-os-windows.rules) * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (snort3-malware-cnc.rules) * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (snort3-malware-cnc.rules) * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (snort3-server-webapp.rules) * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (snort3-malware-cnc.rules) * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (snort3-server-webapp.rules) * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (snort3-os-windows.rules)
* 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (snort3-content-replace.rules) * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (snort3-content-replace.rules) * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (snort3-content-replace.rules) * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (snort3-content-replace.rules) * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (snort3-content-replace.rules) * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (snort3-content-replace.rules) * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (snort3-content-replace.rules) * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (snort3-content-replace.rules) * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (snort3-content-replace.rules) * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (snort3-content-replace.rules) * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (snort3-content-replace.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (snort3-content-replace.rules) * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (snort3-content-replace.rules) * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (snort3-content-replace.rules) * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (snort3-malware-cnc.rules) * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (snort3-content-replace.rules) * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (snort3-malware-cnc.rules) * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (snort3-content-replace.rules) * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (snort3-protocol-services.rules) * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (snort3-content-replace.rules) * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (snort3-content-replace.rules) * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (snort3-content-replace.rules) * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (snort3-content-replace.rules) * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (snort3-content-replace.rules) * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (snort3-server-webapp.rules) * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (snort3-content-replace.rules) * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (snort3-content-replace.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules) * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules) * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules) * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules) * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules) * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules) * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules)
* 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules) * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules) * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules) * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules) * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules) * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules) * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules) * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules) * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules) * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules) * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules) * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules) * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules) * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules) * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules) * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules) * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules) * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules) * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules) * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules) * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules) * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules) * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules) * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules) * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules) * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules) * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules)
* 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules) * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules) * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules) * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules) * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules) * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules) * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules) * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules) * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules) * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules) * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules) * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules) * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules) * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules) * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules) * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules) * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules) * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules) * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules) * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules) * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules) * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50172 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules) * 1:50171 <-> ENABLED <-> MALWARE-CNC Php.Webshell.Backdoor inbound connection attempt (malware-cnc.rules) * 1:50170 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50169 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50168 <-> ENABLED <-> SERVER-WEBAPP Atlassian Confluence Data Center and Server directory traversal attempt (server-webapp.rules) * 1:50167 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50166 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti malicious executable download attempt (malware-cnc.rules) * 1:50165 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound ICMP connection (malware-cnc.rules) * 1:50164 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Winnti variant outbound connection (malware-cnc.rules) * 1:50163 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50162 <-> DISABLED <-> OS-WINDOWS Micrsoft Windows Task Scheduler _SchRpcRegisterTask privilege escalation attempt (os-windows.rules) * 1:50161 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50160 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit SVGTextLayoutAttributes use-after-free attempt (browser-webkit.rules) * 1:50159 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50158 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50157 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant file download request (malware-cnc.rules) * 1:50156 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50155 <-> ENABLED <-> MALWARE-CNC Win.Download.JasperLoader variant initial stage download request (malware-cnc.rules) * 1:50154 <-> ENABLED <-> MALWARE-CNC Win.Malware.JasperLoader variant outbound connection (malware-cnc.rules) * 1:50182 <-> DISABLED <-> INDICATOR-SCAN PHP backdoor scan attempt (indicator-scan.rules) * 1:50181 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt (browser-ie.rules) * 1:50180 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50179 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50178 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buckeye malicious executable download attempt (malware-cnc.rules) * 1:50176 <-> DISABLED <-> SERVER-OTHER Horos DICOM Medical Image Viewer stack overflow attempt (server-other.rules) * 1:50175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules) * 1:50173 <-> DISABLED <-> SERVER-WEBAPP Allied Telesis 8100L cross site scripting attempt (server-webapp.rules)
* 1:15570 <-> DISABLED <-> CONTENT-REPLACE Google Talk deny login (content-replace.rules) * 1:18469 <-> DISABLED <-> CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt (content-replace.rules) * 1:50066 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:50065 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Robinhood variant file transfer attempt (malware-cnc.rules) * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules) * 1:610 <-> DISABLED <-> PROTOCOL-SERVICES rsh root (protocol-services.rules) * 1:12037 <-> DISABLED <-> CONTENT-REPLACE AIM deny in-bound file transfer attempts (content-replace.rules) * 1:12038 <-> DISABLED <-> CONTENT-REPLACE AIM deny out-bound file transfer attempts (content-replace.rules) * 1:12035 <-> DISABLED <-> CONTENT-REPLACE IRC deny in-bound file transfer attempts (content-replace.rules) * 1:12036 <-> DISABLED <-> CONTENT-REPLACE IRC deny out-bound file transfer attempts (content-replace.rules) * 1:12033 <-> DISABLED <-> CONTENT-REPLACE Jabber deny in-bound file transfer attempts (content-replace.rules) * 1:12034 <-> DISABLED <-> CONTENT-REPLACE Jabber deny out-bound file transfer attempts (content-replace.rules) * 1:12031 <-> DISABLED <-> CONTENT-REPLACE MSN deny in-bound file transfer attempts (content-replace.rules) * 1:12032 <-> DISABLED <-> CONTENT-REPLACE MSN deny out-bound file transfer attempts (content-replace.rules) * 1:15441 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:15439 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny tcp login (content-replace.rules) * 1:15440 <-> DISABLED <-> CONTENT-REPLACE QQ 2008 deny udp login (content-replace.rules) * 1:15429 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny outbound login attempt (content-replace.rules) * 1:15438 <-> DISABLED <-> CONTENT-REPLACE QQ 2009 deny udp login (content-replace.rules) * 1:15417 <-> DISABLED <-> CONTENT-REPLACE AIM deny server certificate for encrypted login (content-replace.rules) * 1:15420 <-> DISABLED <-> CONTENT-REPLACE MSN deny login (content-replace.rules) * 1:15415 <-> DISABLED <-> CONTENT-REPLACE AIM or ICQ deny unencrypted login connection (content-replace.rules) * 1:15416 <-> DISABLED <-> CONTENT-REPLACE ICQ deny http proxy login (content-replace.rules) * 1:12041 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts (content-replace.rules) * 1:12042 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts (content-replace.rules) * 1:12039 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts (content-replace.rules) * 1:12040 <-> DISABLED <-> CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts (content-replace.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
