Talos has added and modified multiple rules in the browser-firefox, file-flash, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules) * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules) * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules) * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules) * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules) * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules) * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules) * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules) * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules) * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules) * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules) * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules) * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules) * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules) * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules) * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules) * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules) * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules) * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules) * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules) * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules) * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules) * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules) * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules) * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules) * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules) * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules) * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules) * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules) * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules) * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules) * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules) * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules) * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules) * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules) * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules) * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules) * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules) * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules) * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules) * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules) * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules) * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules) * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules) * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules) * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules) * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules) * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules) * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules) * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules) * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules) * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules) * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules) * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules) * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules) * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules) * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules) * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules) * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules) * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules) * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules) * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules) * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules) * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules) * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules) * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules) * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules) * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules) * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules) * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules) * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules) * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules) * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules) * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules) * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules) * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules) * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules) * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules) * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules) * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules) * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules) * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
* 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules) * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules) * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules) * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules) * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules) * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules) * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules) * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules) * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules) * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules) * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules) * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules) * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules) * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules) * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules) * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules) * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules) * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules) * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules) * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules) * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules) * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules) * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules) * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules) * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules) * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules) * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules) * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules) * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules) * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules) * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules) * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules) * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules) * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules) * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules) * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules) * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules) * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules) * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules) * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules) * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules) * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules) * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules) * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules) * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules) * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules) * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules) * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules) * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules) * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules) * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules) * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules) * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules) * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules) * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules) * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules) * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules) * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules) * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules) * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules) * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules) * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules) * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules) * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules) * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules) * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules) * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules) * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules) * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules) * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules) * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules) * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules) * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules) * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules) * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules) * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules) * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules) * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules) * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules) * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules) * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules) * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules) * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules)
* 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules) * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules) * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules) * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules) * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules) * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules) * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules) * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules) * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules) * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules) * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules) * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules) * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules) * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules) * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules) * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules) * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules) * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules) * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules) * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules) * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules) * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules) * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules) * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules) * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules) * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules) * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules) * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules) * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules) * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules) * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules) * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules) * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules) * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules) * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules) * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules) * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules) * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules) * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules) * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules) * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules) * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules) * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules) * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules) * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules) * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules) * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules) * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules) * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules) * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules) * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules) * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules) * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules) * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules) * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules) * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules) * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules) * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules) * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules) * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules) * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules) * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules) * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules) * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules) * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules) * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules) * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules) * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules) * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules) * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules) * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules) * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules) * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules) * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules) * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules) * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules) * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules) * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules) * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules) * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules) * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules) * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules) * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules) * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
* 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules) * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules) * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (snort3-protocol-scada.rules) * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (snort3-protocol-scada.rules) * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (snort3-protocol-scada.rules) * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (snort3-protocol-scada.rules) * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (snort3-protocol-scada.rules) * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (snort3-protocol-scada.rules) * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (snort3-protocol-scada.rules) * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (snort3-protocol-scada.rules) * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (snort3-malware-cnc.rules) * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (snort3-malware-cnc.rules) * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (snort3-server-webapp.rules) * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules) * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules) * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (snort3-protocol-scada.rules) * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (snort3-malware-other.rules) * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (snort3-malware-other.rules) * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (snort3-protocol-scada.rules) * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (snort3-os-windows.rules) * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (snort3-os-windows.rules) * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (snort3-malware-cnc.rules) * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (snort3-malware-other.rules) * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (snort3-protocol-scada.rules) * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (snort3-protocol-scada.rules) * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (snort3-protocol-scada.rules) * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (snort3-protocol-scada.rules) * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (snort3-protocol-scada.rules) * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (snort3-protocol-scada.rules) * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (snort3-protocol-scada.rules) * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (snort3-protocol-scada.rules) * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (snort3-protocol-scada.rules) * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (snort3-protocol-scada.rules) * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (snort3-protocol-scada.rules) * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (snort3-protocol-scada.rules) * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (snort3-malware-cnc.rules) * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules) * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules) * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules) * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (snort3-protocol-scada.rules) * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (snort3-protocol-scada.rules) * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (snort3-protocol-scada.rules) * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (snort3-protocol-scada.rules) * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (snort3-protocol-scada.rules) * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (snort3-protocol-scada.rules) * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules) * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules) * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules) * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (snort3-protocol-scada.rules) * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (snort3-protocol-scada.rules) * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (snort3-protocol-scada.rules) * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (snort3-protocol-scada.rules) * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (snort3-protocol-scada.rules) * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (snort3-protocol-scada.rules) * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (snort3-protocol-scada.rules) * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (snort3-protocol-scada.rules) * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (snort3-protocol-scada.rules) * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (snort3-protocol-scada.rules) * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (snort3-protocol-scada.rules) * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (snort3-protocol-scada.rules) * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (snort3-protocol-scada.rules) * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (snort3-protocol-scada.rules) * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (snort3-protocol-scada.rules) * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules) * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (snort3-malware-cnc.rules) * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (snort3-malware-cnc.rules) * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (snort3-malware-cnc.rules) * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (snort3-protocol-scada.rules) * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (snort3-protocol-scada.rules) * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (snort3-protocol-scada.rules) * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (snort3-protocol-scada.rules) * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules) * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (snort3-server-webapp.rules) * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (snort3-protocol-scada.rules) * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (snort3-protocol-scada.rules) * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (snort3-protocol-scada.rules) * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (snort3-protocol-scada.rules) * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (snort3-protocol-scada.rules) * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (snort3-protocol-scada.rules) * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (snort3-protocol-scada.rules) * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (snort3-protocol-scada.rules) * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (snort3-protocol-scada.rules) * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (snort3-protocol-scada.rules) * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (snort3-protocol-scada.rules) * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (snort3-protocol-scada.rules) * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (snort3-protocol-scada.rules) * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (snort3-protocol-scada.rules) * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (snort3-protocol-scada.rules) * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (snort3-protocol-scada.rules) * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (snort3-protocol-scada.rules) * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (snort3-protocol-scada.rules) * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (snort3-protocol-scada.rules) * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (snort3-protocol-scada.rules) * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (snort3-protocol-scada.rules) * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (snort3-protocol-scada.rules) * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (snort3-protocol-scada.rules) * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (snort3-protocol-scada.rules) * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (snort3-protocol-scada.rules) * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (snort3-protocol-scada.rules) * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (snort3-protocol-scada.rules) * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (snort3-protocol-scada.rules) * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (snort3-protocol-scada.rules) * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (snort3-protocol-scada.rules) * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (snort3-protocol-scada.rules)
* 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (snort3-malware-cnc.rules) * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (snort3-server-webapp.rules) * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules) * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules) * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules) * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (snort3-server-webapp.rules) * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (snort3-malware-cnc.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules) * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules) * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules) * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules) * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules) * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules) * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules) * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules) * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules) * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules) * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules) * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules) * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules) * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules) * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules) * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules) * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules) * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules) * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules) * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules) * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules) * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules) * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules) * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules) * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules) * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules) * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules) * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules) * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules) * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules) * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules) * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules) * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules) * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules) * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules) * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules) * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules) * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules) * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules) * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules) * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules) * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules) * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules) * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules) * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules) * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules) * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules) * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules) * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules) * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules) * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules) * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules) * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules) * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules) * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules) * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules) * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules) * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules) * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules) * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules) * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules) * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules) * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules) * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules) * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules) * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules) * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules) * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules) * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules) * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules) * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules) * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules) * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules) * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules) * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules) * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules) * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules) * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules) * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules) * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules) * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules)
* 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules) * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules) * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules) * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules) * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules) * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules) * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules) * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules) * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules) * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules) * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules) * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules) * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules) * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules) * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules) * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules) * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules) * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules) * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules) * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules) * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules) * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules) * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules) * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules) * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules) * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules) * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules) * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules) * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules) * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules) * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules) * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules) * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules) * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules) * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules) * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules) * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules) * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules) * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules) * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules) * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules) * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules) * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules) * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules) * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules) * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules) * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules) * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules) * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules) * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules) * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules) * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules) * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules) * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules) * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules) * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules) * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules) * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules) * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules) * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules) * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules) * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules) * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules) * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules) * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules) * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules) * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules) * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules) * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules) * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules) * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules) * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules) * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules) * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules) * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules) * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules) * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules) * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules) * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules) * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules) * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules) * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules) * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules) * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules) * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules) * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules) * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules) * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules) * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules) * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
* 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules) * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules) * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules) * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules) * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules) * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules) * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
