Talos has added and modified multiple rules in the malware-cnc, os-windows, policy-other, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091400.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules) * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules) * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules) * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules) * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules) * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules) * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules) * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules) * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)
* 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules) * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules) * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules) * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules) * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules) * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules) * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules) * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules) * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules) * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)
* 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules) * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules) * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules) * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules) * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules) * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules) * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules) * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules) * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)
* 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules) * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules) * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules) * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules) * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules) * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules) * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules) * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules) * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)
* 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (snort3-policy-other.rules) * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules) * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (snort3-policy-other.rules) * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (snort3-policy-other.rules) * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (snort3-policy-other.rules) * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (snort3-server-webapp.rules) * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (snort3-policy-other.rules) * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (snort3-server-webapp.rules) * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules) * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (snort3-server-webapp.rules) * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules) * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (snort3-server-webapp.rules) * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (snort3-malware-cnc.rules)
* 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules) * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules) * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules) * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (snort3-server-webapp.rules) * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (snort3-os-windows.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules) * 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules) * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules) * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules) * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules) * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules) * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules) * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules) * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules) * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)
* 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50748 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules) * 1:50749 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50767 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dot outbound DNS tunnel (malware-cnc.rules) * 1:50754 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50743 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50752 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50751 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50744 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50742 <-> DISABLED <-> POLICY-OTHER DNS over HTTPS query attempt (policy-other.rules) * 1:50750 <-> DISABLED <-> SERVER-WEBAPP Seowonintech diagnostic.cgi command injection attempt (server-webapp.rules) * 1:50753 <-> DISABLED <-> SERVER-WEBAPP Seowonintech system_config.cgi local file include attempt (server-webapp.rules) * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules) * 1:50740 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter plugin PHP code execution attempt (policy-other.rules) * 1:50763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 1:50766 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ALMA_Dash outbound DNS tunnel (malware-cnc.rules) * 1:50765 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ISMAgent outbound DNS tunnel (malware-cnc.rules) * 1:50741 <-> DISABLED <-> POLICY-OTHER WordPress Ad Inserter debug feature access attempt (policy-other.rules) * 1:50764 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Helminth outbound DNS tunnel (malware-cnc.rules) * 3:50745 <-> ENABLED <-> SERVER-WEBAPP Cisco Vision Dynamic Signage Director authentication bypass attempt (server-webapp.rules) * 3:50746 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0859 attack attempt (server-webapp.rules) * 3:50747 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt (protocol-tftp.rules) * 3:50755 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50756 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50757 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50758 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50759 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50760 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0858 attack attempt (server-webapp.rules) * 3:50770 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0854 attack attempt (protocol-other.rules)
* 1:29601 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29598 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:29600 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules) * 1:18400 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules) * 1:29599 <-> DISABLED <-> SERVER-WEBAPP HP SiteScope soap call apipreferenceimpl security bypass attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
