Talos has added and modified multiple rules in the app-detect, file-identify, file-image, file-multimedia, file-office, file-other, indicator-scan, malware-backdoor, malware-cnc, malware-tools, netbios, os-linux, os-windows, policy-other, protocol-dns, protocol-rpc, protocol-services, protocol-snmp, protocol-tftp, protocol-voip, server-apache, server-iis, server-mssql, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules) * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules) * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules) * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules) * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
* 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules) * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules) * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules) * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules) * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules) * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules) * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules) * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules) * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules) * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules) * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules) * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules) * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules) * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules) * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules) * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules) * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules) * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules) * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules) * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules) * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules) * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules) * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules) * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules) * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules) * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules) * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules) * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules) * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules) * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules) * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules) * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules) * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules) * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules) * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules) * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules) * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules) * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules) * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules) * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules) * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules) * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules) * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules) * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules) * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules) * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules) * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules) * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules) * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules) * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules) * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules) * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules) * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules) * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules) * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules) * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules) * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules) * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules) * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules) * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules) * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules) * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules) * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules) * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules) * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules) * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules) * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules) * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules) * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules) * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules) * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules) * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules) * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules) * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules) * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules) * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules) * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules) * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules) * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules) * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules) * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules) * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules) * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules) * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules) * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules) * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules) * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules) * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules) * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules) * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules) * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules) * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules) * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules) * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules) * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules) * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules) * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules) * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules) * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules) * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules) * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules) * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules) * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules) * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules) * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules) * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules) * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules) * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules) * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules) * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules) * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules) * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules) * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules) * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules) * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules) * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules) * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules) * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules) * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules) * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules) * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules) * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules) * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules) * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules) * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules) * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules) * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules) * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules) * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules) * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules) * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules) * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules) * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules) * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules) * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules) * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules) * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules) * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules) * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules) * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules) * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules) * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules) * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules) * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules) * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules) * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules) * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules) * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules) * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules) * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules) * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules) * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules) * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules) * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules) * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules) * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules) * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules) * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules) * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules) * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules) * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules) * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules) * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules) * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules) * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules) * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules) * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules) * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules) * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules) * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules) * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules) * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules) * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules) * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules) * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules) * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules) * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules) * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules) * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules) * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules) * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules) * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules) * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules) * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules) * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules) * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules) * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules) * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules) * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules) * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules) * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules) * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules) * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules) * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules) * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules) * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
* 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules) * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules) * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules) * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules) * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules) * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules) * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules) * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules) * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules) * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules) * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules) * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules) * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules) * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules) * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules) * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules) * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules) * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules) * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules) * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules) * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules) * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules) * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules) * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules) * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules) * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules) * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules) * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules) * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules) * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules) * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules) * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules) * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules) * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules) * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules) * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules) * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules) * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules) * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules) * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules) * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules) * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules) * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules) * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules) * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules) * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules) * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules) * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules) * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules) * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules) * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules) * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules) * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules) * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules) * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules) * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules) * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules) * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules) * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules) * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules) * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules) * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules) * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules) * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules) * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules) * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules) * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules) * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules) * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules) * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules) * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules) * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules) * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules) * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules) * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules) * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules) * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules) * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules) * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules) * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules) * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules) * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules) * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules) * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules) * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules) * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules) * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules) * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules) * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules) * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules) * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules) * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules) * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules) * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules) * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules) * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules) * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules) * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules) * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules) * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules) * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules) * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules) * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules) * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules) * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules) * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules) * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules) * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules) * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules) * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules) * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules) * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules) * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules) * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules) * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules) * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules) * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules) * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules) * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules) * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules) * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules) * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules) * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules) * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules) * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules) * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules) * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules) * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules) * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules) * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules) * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules) * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules) * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules) * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules) * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules) * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules) * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules) * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules) * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules) * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules) * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules) * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules) * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules) * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules) * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules) * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules) * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules) * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules) * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules) * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules) * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules) * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules) * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules) * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules) * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules) * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules) * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules) * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules) * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules) * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules) * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules) * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules) * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules) * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules) * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules) * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules) * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules) * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules) * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules) * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules) * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules) * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules) * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules) * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules) * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules) * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules) * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules) * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules) * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules) * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules) * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules) * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules) * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules) * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules) * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules) * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules) * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules) * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules) * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules) * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules) * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules) * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules) * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules) * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules) * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules) * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules) * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules) * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules) * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
* 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules) * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules) * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules) * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules) * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules) * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules) * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules) * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules) * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules) * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules) * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules) * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules) * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules) * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules) * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules) * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules) * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules) * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules) * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules) * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules) * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules) * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules) * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules) * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules) * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules) * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules) * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules) * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules) * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules) * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules) * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules) * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules) * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules) * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules) * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules) * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules) * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules) * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules) * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules) * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules) * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules) * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules) * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules) * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules) * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules) * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules) * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules) * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules) * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules) * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules) * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules) * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules) * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules) * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules) * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules) * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules) * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules) * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules) * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules) * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules) * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules) * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules) * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules) * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules) * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules) * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules) * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules) * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules) * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules) * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules) * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules) * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules) * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules) * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules) * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules) * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules) * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules) * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules) * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules) * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules) * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules) * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules) * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules) * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules) * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules) * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules) * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules) * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules) * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules) * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules) * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules) * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules) * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules) * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules) * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules) * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules) * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules) * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules) * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules) * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules) * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules) * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules) * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules) * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules) * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules) * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules) * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules) * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules) * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules) * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules) * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules) * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules) * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules) * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules) * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules) * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules) * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules) * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules) * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules) * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules) * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules) * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules) * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules) * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules) * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules) * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules) * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules) * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules) * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules) * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules) * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules) * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules) * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules) * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules) * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules) * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules) * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules) * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules) * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules) * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules) * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules) * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules) * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules) * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules) * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules) * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules) * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules) * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules) * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules) * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules) * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules) * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules) * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules) * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules) * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules) * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules) * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules) * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules) * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules) * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules) * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules) * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules) * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules) * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules) * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules) * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules) * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules) * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules) * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules) * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules) * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules) * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules) * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules) * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules) * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules) * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules) * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules) * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules) * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules) * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules) * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules) * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules) * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules) * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules) * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules) * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules) * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules) * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules) * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules) * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules) * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules) * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules) * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules) * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules) * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules) * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules) * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules) * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
* 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules) * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules) * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules) * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules) * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules) * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules) * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules) * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules) * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules) * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules) * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules) * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules) * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules) * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules) * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules) * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules) * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules) * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules) * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules) * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules) * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules) * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules) * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules) * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules) * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules) * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules) * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules) * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules) * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules) * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules) * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules) * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules) * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules) * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules) * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules) * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules) * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules) * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules) * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules) * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules) * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules) * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules) * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules) * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules) * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules) * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules) * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules) * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules) * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules) * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules) * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules) * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules) * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules) * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules) * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules) * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules) * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules) * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules) * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules) * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules) * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules) * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules) * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules) * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules) * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules) * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules) * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules) * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules) * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules) * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules) * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules) * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules) * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules) * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules) * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules) * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules) * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules) * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules) * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules) * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules) * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules) * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules) * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules) * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules) * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules) * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules) * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules) * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules) * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules) * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules) * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules) * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules) * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules) * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules) * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules) * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules) * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules) * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules) * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules) * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules) * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules) * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules) * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules) * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules) * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules) * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules) * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules) * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules) * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules) * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules) * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules) * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules) * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules) * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules) * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules) * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules) * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules) * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules) * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules) * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules) * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules) * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules) * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules) * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules) * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules) * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules) * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules) * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules) * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules) * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules) * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules) * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules) * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules) * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules) * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules) * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules) * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules) * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules) * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules) * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules) * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules) * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules) * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules) * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules) * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules) * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules) * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules) * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules) * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules) * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules) * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules) * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules) * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules) * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules) * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules) * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules) * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules) * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules) * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules) * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules) * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules) * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules) * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules) * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules) * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules) * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules) * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules) * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules) * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules) * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules) * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules) * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules) * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules) * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules) * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules) * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules) * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules) * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules) * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules) * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules) * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules) * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules) * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules) * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules) * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules) * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules) * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules) * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules) * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules) * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (snort3-os-windows.rules) * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (snort3-file-multimedia.rules) * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (snort3-file-identify.rules) * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (snort3-file-other.rules) * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (snort3-server-apache.rules) * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (snort3-os-windows.rules) * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (snort3-server-webapp.rules) * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (snort3-file-other.rules) * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (snort3-server-other.rules) * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (snort3-app-detect.rules) * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules) * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (snort3-file-identify.rules) * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules) * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules) * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (snort3-server-webapp.rules) * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules) * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (snort3-file-other.rules) * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (snort3-file-other.rules) * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules) * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (snort3-file-office.rules) * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (snort3-server-webapp.rules) * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (snort3-file-multimedia.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (snort3-server-other.rules) * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules) * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (snort3-server-other.rules) * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (snort3-server-other.rules) * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (snort3-file-office.rules)
* 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (snort3-server-webapp.rules) * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (snort3-policy-other.rules) * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (snort3-server-webapp.rules) * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (snort3-protocol-dns.rules) * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (snort3-server-webapp.rules) * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (snort3-protocol-snmp.rules) * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (snort3-protocol-tftp.rules) * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (snort3-server-other.rules) * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (snort3-server-other.rules) * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (snort3-server-other.rules) * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (snort3-protocol-snmp.rules) * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (snort3-os-windows.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (snort3-indicator-scan.rules) * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (snort3-server-other.rules) * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (snort3-server-other.rules) * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (snort3-server-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (snort3-indicator-scan.rules) * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (snort3-server-other.rules) * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (snort3-server-other.rules) * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (snort3-server-other.rules) * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (snort3-netbios.rules) * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (snort3-protocol-voip.rules) * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (snort3-server-other.rules) * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (snort3-server-other.rules) * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (snort3-protocol-voip.rules) * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (snort3-server-other.rules) * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (snort3-server-other.rules) * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (snort3-server-other.rules) * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (snort3-server-webapp.rules) * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (snort3-server-other.rules) * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (snort3-server-other.rules) * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (snort3-server-other.rules) * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (snort3-server-webapp.rules) * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (snort3-server-other.rules) * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (snort3-netbios.rules) * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (snort3-server-other.rules) * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (snort3-server-webapp.rules) * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (snort3-server-other.rules) * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (snort3-malware-tools.rules) * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (snort3-netbios.rules) * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (snort3-server-webapp.rules) * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (snort3-malware-backdoor.rules) * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (snort3-server-other.rules) * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (snort3-server-webapp.rules) * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (snort3-netbios.rules) * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (snort3-malware-backdoor.rules) * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (snort3-server-other.rules) * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (snort3-protocol-voip.rules) * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (snort3-server-webapp.rules) * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (snort3-server-webapp.rules) * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (snort3-protocol-rpc.rules) * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (snort3-server-other.rules) * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (snort3-server-other.rules) * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (snort3-protocol-rpc.rules) * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (snort3-protocol-rpc.rules) * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (snort3-protocol-rpc.rules) * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (snort3-protocol-rpc.rules) * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (snort3-protocol-rpc.rules) * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (snort3-policy-other.rules) * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (snort3-protocol-rpc.rules) * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (snort3-protocol-rpc.rules) * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (snort3-protocol-snmp.rules) * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (snort3-server-webapp.rules) * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (snort3-protocol-rpc.rules) * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (snort3-protocol-snmp.rules) * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (snort3-protocol-rpc.rules) * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (snort3-server-webapp.rules) * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (snort3-server-iis.rules) * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (snort3-protocol-rpc.rules) * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (snort3-server-webapp.rules) * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (snort3-protocol-rpc.rules) * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (snort3-protocol-rpc.rules) * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (snort3-protocol-dns.rules) * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (snort3-protocol-rpc.rules) * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (snort3-protocol-rpc.rules) * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (snort3-protocol-rpc.rules) * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (snort3-protocol-rpc.rules) * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (snort3-server-other.rules) * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (snort3-protocol-rpc.rules) * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (snort3-protocol-rpc.rules) * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (snort3-protocol-rpc.rules) * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (snort3-protocol-rpc.rules) * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (snort3-protocol-rpc.rules) * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (snort3-malware-backdoor.rules) * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (snort3-protocol-rpc.rules) * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (snort3-protocol-rpc.rules) * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (snort3-malware-backdoor.rules) * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (snort3-protocol-rpc.rules) * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (snort3-protocol-rpc.rules) * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (snort3-protocol-rpc.rules) * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (snort3-protocol-rpc.rules) * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (snort3-protocol-rpc.rules) * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (snort3-protocol-rpc.rules) * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (snort3-protocol-rpc.rules) * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (snort3-policy-other.rules) * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (snort3-protocol-rpc.rules) * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (snort3-policy-other.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (snort3-indicator-scan.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (snort3-indicator-scan.rules) * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (snort3-os-windows.rules) * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (snort3-protocol-rpc.rules) * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (snort3-server-other.rules) * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (snort3-protocol-rpc.rules) * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (snort3-protocol-rpc.rules) * 1:2049 <-> DISABLED <-> SQL ping attempt (snort3-sql.rules) * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (snort3-protocol-rpc.rules) * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (snort3-server-other.rules) * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (snort3-protocol-rpc.rules) * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (snort3-server-other.rules) * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (snort3-server-other.rules) * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (snort3-server-other.rules) * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (snort3-protocol-rpc.rules) * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (snort3-protocol-tftp.rules) * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (snort3-protocol-tftp.rules) * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (snort3-protocol-dns.rules) * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (snort3-server-mssql.rules) * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (snort3-os-windows.rules) * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (snort3-server-other.rules) * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (snort3-netbios.rules) * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (snort3-protocol-dns.rules) * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (snort3-server-webapp.rules) * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (snort3-netbios.rules) * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (snort3-server-other.rules) * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (snort3-malware-cnc.rules) * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (snort3-server-other.rules) * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (snort3-server-other.rules) * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (snort3-protocol-dns.rules) * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (snort3-os-windows.rules) * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (snort3-os-windows.rules) * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (snort3-malware-cnc.rules) * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (snort3-os-linux.rules) * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (snort3-server-other.rules) * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (snort3-os-windows.rules) * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (snort3-os-linux.rules) * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (snort3-os-linux.rules) * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (snort3-server-webapp.rules) * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (snort3-server-other.rules) * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (snort3-os-linux.rules) * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (snort3-server-other.rules) * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (snort3-protocol-dns.rules) * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (snort3-server-other.rules) * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (snort3-server-other.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (snort3-server-other.rules) * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (snort3-server-other.rules) * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (snort3-malware-cnc.rules) * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (snort3-malware-cnc.rules) * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (snort3-malware-cnc.rules) * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (snort3-server-other.rules) * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (snort3-netbios.rules) * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (snort3-protocol-tftp.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-malware-cnc.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (snort3-malware-cnc.rules) * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (snort3-server-other.rules) * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (snort3-netbios.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (snort3-malware-cnc.rules) * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (snort3-netbios.rules) * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (snort3-os-windows.rules) * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (snort3-server-other.rules) * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (snort3-netbios.rules) * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (snort3-netbios.rules) * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (snort3-netbios.rules) * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (snort3-os-windows.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (snort3-malware-cnc.rules) * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (snort3-file-image.rules) * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (snort3-netbios.rules) * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (snort3-netbios.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (snort3-malware-cnc.rules) * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (snort3-netbios.rules) * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (snort3-netbios.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (snort3-protocol-tftp.rules) * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (snort3-os-windows.rules) * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (snort3-protocol-snmp.rules) * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (snort3-os-windows.rules) * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (snort3-netbios.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (snort3-server-other.rules) * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (snort3-netbios.rules) * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (snort3-netbios.rules) * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (snort3-netbios.rules) * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (snort3-protocol-tftp.rules) * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (snort3-protocol-rpc.rules) * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (snort3-protocol-rpc.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (snort3-malware-backdoor.rules) * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (snort3-protocol-services.rules) * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (snort3-protocol-rpc.rules) * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (snort3-malware-tools.rules) * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (snort3-protocol-rpc.rules) * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (snort3-protocol-rpc.rules) * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (snort3-protocol-rpc.rules) * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (snort3-protocol-rpc.rules) * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (snort3-protocol-rpc.rules) * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (snort3-protocol-rpc.rules) * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (snort3-protocol-rpc.rules) * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (snort3-protocol-rpc.rules) * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (snort3-protocol-rpc.rules) * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (snort3-protocol-rpc.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (snort3-os-windows.rules) * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (snort3-protocol-rpc.rules) * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (snort3-protocol-rpc.rules) * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (snort3-protocol-rpc.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (snort3-os-windows.rules) * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (snort3-protocol-rpc.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (snort3-os-windows.rules) * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (snort3-netbios.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (snort3-os-windows.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules) * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (snort3-protocol-tftp.rules) * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (snort3-netbios.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (snort3-os-windows.rules) * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (snort3-server-webapp.rules) * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (snort3-server-webapp.rules) * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (snort3-server-other.rules) * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (snort3-server-other.rules) * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (snort3-protocol-rpc.rules) * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (snort3-protocol-rpc.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (snort3-server-other.rules) * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (snort3-protocol-tftp.rules) * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (snort3-server-webapp.rules) * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (snort3-server-other.rules) * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (snort3-os-windows.rules) * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (snort3-server-other.rules) * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (snort3-server-other.rules) * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (snort3-server-other.rules) * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (snort3-server-other.rules) * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (snort3-server-webapp.rules) * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (snort3-server-other.rules) * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (snort3-server-other.rules) * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (snort3-server-other.rules) * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (snort3-server-webapp.rules) * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (snort3-server-other.rules) * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (snort3-netbios.rules) * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (snort3-server-other.rules) * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (snort3-server-other.rules) * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (snort3-server-other.rules) * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (snort3-protocol-tftp.rules) * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (snort3-os-windows.rules) * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (snort3-protocol-tftp.rules) * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (snort3-protocol-tftp.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (snort3-indicator-scan.rules) * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (snort3-server-other.rules) * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (snort3-os-windows.rules) * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (snort3-protocol-rpc.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (snort3-indicator-scan.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules) * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules) * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules) * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules) * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules) * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules)
* 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules) * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules) * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules) * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules) * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules) * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules) * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules) * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules) * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules) * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules) * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules) * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules) * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules) * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules) * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules) * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules) * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules) * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules) * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules) * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules) * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules) * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules) * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules) * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules) * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules) * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules) * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules) * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules) * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules) * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules) * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules) * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules) * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules) * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules) * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules) * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules) * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules) * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules) * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules) * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules) * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules) * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules) * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules) * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules) * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules) * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules) * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules) * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules) * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules) * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules) * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules) * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules) * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules) * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules) * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules) * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules) * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules) * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules) * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules) * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules) * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules) * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules) * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules) * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules) * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules) * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules) * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules) * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules) * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules) * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules) * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules) * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules) * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules) * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules) * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules) * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules) * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules) * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules) * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules) * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules) * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules) * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules) * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules) * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules) * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules) * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules) * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules) * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules) * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules) * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules) * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules) * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules) * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules) * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules) * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules) * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules) * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules) * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules) * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules) * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules) * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules) * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules) * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules) * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules) * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules) * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules) * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules) * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules) * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules) * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules) * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules) * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules) * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules) * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules) * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules) * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules) * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules) * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules) * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules) * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules) * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules) * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules) * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules) * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules) * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules) * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules) * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules) * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules) * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules) * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules) * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules) * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules) * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules) * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules) * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules) * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules) * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules) * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules) * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules) * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules) * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules) * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules) * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules) * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules) * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules) * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules) * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules) * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules) * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules) * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules) * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules) * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules) * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules) * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules) * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules) * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules) * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules) * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules) * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules) * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules) * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules) * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules) * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules) * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules) * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules) * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules) * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules) * 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules) * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules) * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules) * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules) * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules) * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules) * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules) * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules) * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules) * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules) * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules) * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules) * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules) * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules) * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules) * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules) * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules) * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules) * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules) * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules) * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules) * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50877 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50879 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50884 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50881 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50887 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50891 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50874 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50892 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50885 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI EMF parsing arbitrary code execution attempt (file-other.rules) * 1:50870 <-> ENABLED <-> APP-DETECT Quagga password challenge detected (app-detect.rules) * 1:50886 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage cross site scripting attempt (server-webapp.rules) * 1:50871 <-> DISABLED <-> SERVER-OTHER Quagga telnet CLI buffer overflow attempt (server-other.rules) * 1:50888 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 1:50893 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows mp3 file malformed ID3 APIC header code execution attempt (file-multimedia.rules) * 1:50873 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50894 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50901 <-> DISABLED <-> SERVER-OTHER OpenBSD ISAKMP denial of service attempt (server-other.rules) * 1:50896 <-> DISABLED <-> SERVER-OTHER NetSupport Manager client buffer overflow attempt (server-other.rules) * 1:50878 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50883 <-> DISABLED <-> SERVER-APACHE Apache 2 mod_ssl Connection Abort denial of service attempt (server-apache.rules) * 1:50900 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules) * 1:50890 <-> DISABLED <-> SERVER-OTHER Novell NetWare AFP denial of service attempt (server-other.rules) * 1:50875 <-> ENABLED <-> FILE-IDENTIFY Fax Cover Page file magic detected (file-identify.rules) * 1:50876 <-> DISABLED <-> SERVER-WEBAPP WP Statistics cross site scripting attempt (server-webapp.rules) * 1:50872 <-> DISABLED <-> OS-WINDOWS Microsoft Fax Cover Page Editor heap corruption attempt (os-windows.rules) * 1:50895 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules) * 1:50880 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50882 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:50889 <-> DISABLED <-> FILE-OTHER Microsoft OpenType font index remote code execution attempt (file-other.rules) * 3:50897 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50898 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0884 attack attempt (file-image.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
* 1:6444 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW heap overflow attempt (os-windows.rules) * 1:939 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage posting (server-other.rules) * 1:7507 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool coma runtime detection - init connection (malware-tools.rules) * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules) * 1:958 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.cnf access (server-other.rules) * 1:872 <-> DISABLED <-> SERVER-WEBAPP tcsh access (server-webapp.rules) * 1:6712 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt (netbios.rules) * 1:952 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage author.exe access (server-other.rules) * 1:6410 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:949 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.htm access (server-other.rules) * 1:6707 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt (netbios.rules) * 1:950 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage cfgwiz.exe access (server-other.rules) * 1:3650 <-> DISABLED <-> NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt (netbios.rules) * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules) * 1:937 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_rpc access (server-other.rules) * 1:947 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.txt access (server-other.rules) * 1:946 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access (server-other.rules) * 1:955 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage access.cnf access (server-other.rules) * 1:635 <-> DISABLED <-> INDICATOR-SCAN XTACACS logout (indicator-scan.rules) * 1:6513 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated video mini-frame packet overflow attempt (protocol-voip.rules) * 1:865 <-> DISABLED <-> SERVER-WEBAPP ksh access (server-webapp.rules) * 1:578 <-> DISABLED <-> PROTOCOL-RPC portmap cmsd request UDP (protocol-rpc.rules) * 1:576 <-> DISABLED <-> PROTOCOL-RPC portmap amountd request UDP (protocol-rpc.rules) * 1:577 <-> DISABLED <-> PROTOCOL-RPC portmap bootparam request UDP (protocol-rpc.rules) * 1:5738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param OS-WINDOWS attempt (os-windows.rules) * 1:5726 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:579 <-> DISABLED <-> PROTOCOL-RPC portmap mountd request UDP (protocol-rpc.rules) * 1:575 <-> DISABLED <-> PROTOCOL-RPC portmap admind request UDP (protocol-rpc.rules) * 1:5732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param OS-WINDOWS attempt (os-windows.rules) * 1:580 <-> DISABLED <-> PROTOCOL-RPC portmap nisd request UDP (protocol-rpc.rules) * 1:1166 <-> DISABLED <-> SERVER-WEBAPP ws_ftp.ini access (server-webapp.rules) * 1:1248 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access (server-other.rules) * 1:1145 <-> DISABLED <-> SERVER-WEBAPP root access (server-webapp.rules) * 1:1130 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:1280 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 111 (protocol-rpc.rules) * 1:1289 <-> DISABLED <-> PROTOCOL-TFTP GET Admin.dll (protocol-tftp.rules) * 1:1249 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access (server-other.rules) * 1:1309 <-> DISABLED <-> SERVER-WEBAPP zsh access (server-webapp.rules) * 1:1281 <-> DISABLED <-> PROTOCOL-RPC portmap listing UDP 32771 (protocol-rpc.rules) * 1:1288 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage /_vti_bin/ access (server-other.rules) * 1:1131 <-> DISABLED <-> SERVER-WEBAPP .wwwacl access (server-webapp.rules) * 1:2377 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload certificate request length overflow attempt (server-other.rules) * 1:2378 <-> DISABLED <-> SERVER-OTHER ISAKMP third payload certificate request length overflow attempt (server-other.rules) * 1:253 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority (protocol-dns.rules) * 1:2486 <-> DISABLED <-> SERVER-OTHER ISAKMP invalid identification payload attempt (server-other.rules) * 1:2511 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt (os-windows.rules) * 1:2379 <-> DISABLED <-> SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt (server-other.rules) * 1:636 <-> DISABLED <-> INDICATOR-SCAN cybercop udp bomb (indicator-scan.rules) * 1:254 <-> DISABLED <-> PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority (protocol-dns.rules) * 1:2380 <-> DISABLED <-> SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt (server-other.rules) * 1:965 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage writeto.cnf access (server-other.rules) * 1:6411 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:590 <-> DISABLED <-> PROTOCOL-RPC portmap ypserv request UDP (protocol-rpc.rules) * 1:5720 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans unicode Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:942 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage orders.htm access (server-other.rules) * 1:4661 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt (netbios.rules) * 1:4671 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt (netbios.rules) * 1:5897 <-> DISABLED <-> MALWARE-TOOLS Hacker-Tool timbuktu pro runtime detection - udp port 407 (malware-tools.rules) * 1:957 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage registrations.txt access (server-other.rules) * 1:868 <-> DISABLED <-> SERVER-WEBAPP rsh access (server-webapp.rules) * 1:313 <-> DISABLED <-> OS-LINUX ntalkd x86 Linux overflow (os-linux.rules) * 1:271 <-> DISABLED <-> SERVER-OTHER UDP echo+chargen bomb (server-other.rules) * 1:281 <-> DISABLED <-> SERVER-OTHER Ascend Route (server-other.rules) * 1:963 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage svcacl.cnf access (server-other.rules) * 1:3006 <-> DISABLED <-> SERVER-OTHER Volition Freespace 2 buffer overflow attempt (server-other.rules) * 1:317 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:968 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.htm access (server-other.rules) * 1:3159 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt (os-windows.rules) * 1:967 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage dvwssr.dll access (server-other.rules) * 1:6409 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage server extension long host string overflow attempt (server-other.rules) * 1:951 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage authors.pwd access (server-other.rules) * 1:5725 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans andx Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:2563 <-> DISABLED <-> NETBIOS NS lookup response name overflow attempt (netbios.rules) * 1:954 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results.htm access (server-other.rules) * 1:316 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:3154 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query overflow (protocol-dns.rules) * 1:990 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage _vti_inf.html access (server-other.rules) * 1:2019 <-> DISABLED <-> PROTOCOL-RPC mountd UDP dump request (protocol-rpc.rules) * 1:945 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpadmin.htm access (server-other.rules) * 1:877 <-> DISABLED <-> SERVER-WEBAPP rksh access (server-webapp.rules) * 1:32188 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection (malware-cnc.rules) * 1:49252 <-> DISABLED <-> SERVER-OTHER HP iNode Management Center iNodeMngChecker buffer overflow attempt (server-other.rules) * 1:3234 <-> DISABLED <-> OS-WINDOWS Messenger message little endian overflow attempt (os-windows.rules) * 1:966 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage .... request (server-other.rules) * 1:3538 <-> DISABLED <-> SERVER-OTHER RADIUS registration MSID overflow attempt (server-other.rules) * 1:4660 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt (netbios.rules) * 1:9624 <-> DISABLED <-> PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP (protocol-rpc.rules) * 1:2015 <-> DISABLED <-> PROTOCOL-RPC portmap UNSET attempt UDP 111 (protocol-rpc.rules) * 1:3235 <-> DISABLED <-> OS-WINDOWS Messenger message overflow attempt (os-windows.rules) * 1:3080 <-> DISABLED <-> SERVER-OTHER Unreal Tournament secure overflow attempt (server-other.rules) * 1:5728 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param OS-WINDOWS attempt (os-windows.rules) * 1:2578 <-> DISABLED <-> SERVER-OTHER kerberos principal name overflow UDP (server-other.rules) * 1:2564 <-> DISABLED <-> NETBIOS NS lookup short response attempt (netbios.rules) * 1:2656 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt (server-webapp.rules) * 1:586 <-> DISABLED <-> PROTOCOL-RPC portmap selection_svc request UDP (protocol-rpc.rules) * 1:583 <-> DISABLED <-> PROTOCOL-RPC portmap rstatd request UDP (protocol-rpc.rules) * 1:585 <-> DISABLED <-> PROTOCOL-RPC portmap sadmind request UDP attempt (protocol-rpc.rules) * 1:634 <-> DISABLED <-> INDICATOR-SCAN Amanda client-version request (indicator-scan.rules) * 1:637 <-> DISABLED <-> INDICATOR-SCAN Webtrends Scanner UDP Probe (indicator-scan.rules) * 1:3647 <-> DISABLED <-> NETBIOS SMB Trans andx data displacement null pointer DOS attempt (netbios.rules) * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules) * 1:611 <-> DISABLED <-> PROTOCOL-SERVICES rlogin login failure (protocol-services.rules) * 1:5681 <-> DISABLED <-> NETBIOS SMB Session Setup unicode username overflow attempt (netbios.rules) * 1:256 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:961 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage services.cnf access (server-other.rules) * 1:8710 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NAT helper components udp denial of service attempt (os-windows.rules) * 1:3539 <-> DISABLED <-> SERVER-OTHER RADIUS MSID overflow attempt (server-other.rules) * 1:6515 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated mini-frame packet overflow attempt (protocol-voip.rules) * 1:6456 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContext heap overflow attempt (os-windows.rules) * 1:6473 <-> DISABLED <-> MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client (malware-backdoor.rules) * 1:6514 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk IAX2 truncated full-frame packet overflow attempt (protocol-voip.rules) * 1:956 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage register.txt access (server-other.rules) * 1:315 <-> DISABLED <-> OS-LINUX x86 Linux mountd overflow (os-linux.rules) * 1:4673 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt (netbios.rules) * 1:3472 <-> DISABLED <-> SERVER-OTHER ARCserve discovery service overflow (server-other.rules) * 1:5719 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt (os-windows.rules) * 1:32189 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection (malware-cnc.rules) * 1:587 <-> DISABLED <-> PROTOCOL-RPC portmap status request UDP (protocol-rpc.rules) * 1:37356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key (malware-cnc.rules) * 1:960 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.stp access (server-other.rules) * 1:6706 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary Param Count overflow attempt (netbios.rules) * 1:584 <-> DISABLED <-> PROTOCOL-RPC portmap rusers request UDP (protocol-rpc.rules) * 1:3540 <-> DISABLED <-> SERVER-OTHER RADIUS registration vendor ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:3239 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt (os-windows.rules) * 1:953 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage administrators.pwd access (server-other.rules) * 1:37357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication (malware-cnc.rules) * 1:582 <-> DISABLED <-> PROTOCOL-RPC portmap rexd request UDP (protocol-rpc.rules) * 1:4246 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP msdtc BuildContextW overflow attempt (os-windows.rules) * 1:43478 <-> DISABLED <-> MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection (malware-cnc.rules) * 1:3648 <-> DISABLED <-> NETBIOS SMB Trans data displacement null pointer DOS attempt (netbios.rules) * 1:2005 <-> DISABLED <-> PROTOCOL-RPC portmap kcms_server request UDP (protocol-rpc.rules) * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules) * 1:4659 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt (netbios.rules) * 1:3817 <-> DISABLED <-> PROTOCOL-TFTP GET transfer mode overflow attempt (protocol-tftp.rules) * 1:964 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage users.pwd access (server-other.rules) * 1:944 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpremadm.exe access (server-other.rules) * 1:941 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage contents.htm access (server-other.rules) * 1:943 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access (server-other.rules) * 1:4672 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt (netbios.rules) * 1:4662 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt (netbios.rules) * 1:1444 <-> DISABLED <-> PROTOCOL-TFTP Get (protocol-tftp.rules) * 1:862 <-> DISABLED <-> SERVER-WEBAPP csh access (server-webapp.rules) * 1:832 <-> DISABLED <-> SERVER-WEBAPP perl.exe access (server-webapp.rules) * 1:1427 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-trap-app attempt (protocol-snmp.rules) * 1:1443 <-> DISABLED <-> PROTOCOL-TFTP GET passwd (protocol-tftp.rules) * 1:940 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.dll access (server-other.rules) * 1:1441 <-> DISABLED <-> PROTOCOL-TFTP GET nc.exe (protocol-tftp.rules) * 1:1426 <-> DISABLED <-> PROTOCOL-SNMP PROTOS test-suite-req-app attempt (protocol-snmp.rules) * 1:589 <-> DISABLED <-> PROTOCOL-RPC portmap yppasswd request UDP (protocol-rpc.rules) * 1:519 <-> DISABLED <-> PROTOCOL-TFTP parent directory (protocol-tftp.rules) * 1:43527 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command injection attempt (server-webapp.rules) * 1:581 <-> DISABLED <-> PROTOCOL-RPC portmap pcnfsd request UDP (protocol-rpc.rules) * 1:4755 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP locator nsi_binding_lookup_begin overflow attempt (os-windows.rules) * 1:5680 <-> DISABLED <-> NETBIOS SMB Session Setup username overflow attempt (netbios.rules) * 1:39931 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:520 <-> DISABLED <-> PROTOCOL-TFTP root directory (protocol-tftp.rules) * 1:43526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected (malware-cnc.rules) * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules) * 1:4674 <-> DISABLED <-> NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt (netbios.rules) * 1:588 <-> DISABLED <-> PROTOCOL-RPC portmap ttdbserv request UDP (protocol-rpc.rules) * 1:1442 <-> DISABLED <-> PROTOCOL-TFTP GET shadow (protocol-tftp.rules) * 1:3649 <-> DISABLED <-> NETBIOS SMB Trans unicode data displacement null pointer DOS attempt (netbios.rules) * 1:279 <-> DISABLED <-> SERVER-OTHER Bay/Nortel Nautica Marlin (server-other.rules) * 1:1388 <-> DISABLED <-> OS-WINDOWS Microsoft Windows UPnP Location overflow attempt (os-windows.rules) * 1:612 <-> DISABLED <-> PROTOCOL-RPC rusers query UDP (protocol-rpc.rules) * 1:1980 <-> DISABLED <-> MALWARE-BACKDOOR DeepThroat 3.1 Connection (malware-backdoor.rules) * 1:9773 <-> DISABLED <-> NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt (netbios.rules) * 1:6713 <-> DISABLED <-> NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt (netbios.rules) * 1:959 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage service.pwd (server-other.rules) * 1:1489 <-> DISABLED <-> SERVER-WEBAPP nobody access (server-webapp.rules) * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound connection (malware-cnc.rules) * 1:1985 <-> DISABLED <-> MALWARE-BACKDOOR Doly variant outbound connection attempt (malware-backdoor.rules) * 1:2021 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmount request (protocol-rpc.rules) * 1:2029 <-> DISABLED <-> PROTOCOL-RPC yppasswd new password overflow attempt UDP (protocol-rpc.rules) * 1:2023 <-> DISABLED <-> PROTOCOL-RPC mountd UDP unmountall request (protocol-rpc.rules) * 1:2017 <-> DISABLED <-> PROTOCOL-RPC portmap espd request UDP (protocol-rpc.rules) * 1:2027 <-> DISABLED <-> PROTOCOL-RPC yppasswd old password overflow attempt UDP (protocol-rpc.rules) * 1:2037 <-> DISABLED <-> PROTOCOL-RPC network-status-monitor mon-callback request UDP (protocol-rpc.rules) * 1:2031 <-> DISABLED <-> PROTOCOL-RPC yppasswd user update UDP (protocol-rpc.rules) * 1:2025 <-> DISABLED <-> PROTOCOL-RPC yppasswd username overflow attempt UDP (protocol-rpc.rules) * 1:2035 <-> DISABLED <-> PROTOCOL-RPC portmap network-status-monitor request UDP (protocol-rpc.rules) * 1:2042 <-> DISABLED <-> POLICY-OTHER xtacacs accepted login response (policy-other.rules) * 1:2039 <-> DISABLED <-> SERVER-OTHER bootp hostname format string attempt (server-other.rules) * 1:2043 <-> DISABLED <-> INDICATOR-SCAN isakmp login failed (indicator-scan.rules) * 1:2033 <-> DISABLED <-> PROTOCOL-RPC ypserv maplist request UDP (protocol-rpc.rules) * 1:2041 <-> DISABLED <-> INDICATOR-SCAN xtacacs failed login response (indicator-scan.rules) * 1:2049 <-> DISABLED <-> SQL ping attempt (sql.rules) * 1:2040 <-> DISABLED <-> POLICY-OTHER xtacacs login attempt (policy-other.rules) * 1:2079 <-> DISABLED <-> PROTOCOL-RPC portmap nlockmgr request UDP (protocol-rpc.rules) * 1:2257 <-> DISABLED <-> OS-WINDOWS DCERPC Messenger Service buffer overflow attempt (os-windows.rules) * 1:2083 <-> DISABLED <-> PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP (protocol-rpc.rules) * 1:2329 <-> DISABLED <-> SERVER-MSSQL probe response overflow attempt (server-mssql.rules) * 1:2256 <-> DISABLED <-> PROTOCOL-RPC sadmind query with root credentials attempt UDP (protocol-rpc.rules) * 1:2376 <-> DISABLED <-> SERVER-OTHER ISAKMP first payload certificate request length overflow attempt (server-other.rules) * 1:2081 <-> DISABLED <-> PROTOCOL-RPC portmap rpc.xfsmd request UDP (protocol-rpc.rules) * 1:2094 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt (protocol-rpc.rules) * 1:1961 <-> DISABLED <-> PROTOCOL-RPC portmap RQUOTA request UDP (protocol-rpc.rules) * 1:1907 <-> DISABLED <-> PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt (protocol-rpc.rules) * 1:1963 <-> DISABLED <-> PROTOCOL-RPC RQUOTA getquota overflow attempt UDP (protocol-rpc.rules) * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules) * 1:1956 <-> DISABLED <-> PROTOCOL-RPC AMD UDP version request (protocol-rpc.rules) * 1:1954 <-> DISABLED <-> PROTOCOL-RPC AMD UDP pid request (protocol-rpc.rules) * 1:1948 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via UDP detected (protocol-dns.rules) * 1:1959 <-> DISABLED <-> PROTOCOL-RPC portmap NFS request UDP (protocol-rpc.rules) * 1:1950 <-> DISABLED <-> PROTOCOL-RPC portmap SET attempt UDP 111 (protocol-rpc.rules) * 1:2339 <-> DISABLED <-> PROTOCOL-TFTP NULL command attempt (protocol-tftp.rules) * 1:1939 <-> DISABLED <-> SERVER-OTHER bootp hardware address length overflow (server-other.rules) * 1:1964 <-> DISABLED <-> PROTOCOL-RPC tooltalk UDP overflow attempt (protocol-rpc.rules) * 1:1966 <-> DISABLED <-> SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt (server-other.rules) * 1:1940 <-> DISABLED <-> SERVER-OTHER bootp invalid hardware type (server-other.rules) * 1:1924 <-> DISABLED <-> PROTOCOL-RPC mountd UDP export request (protocol-rpc.rules) * 1:1504 <-> DISABLED <-> POLICY-OTHER AFS access (policy-other.rules) * 1:1551 <-> DISABLED <-> SERVER-WEBAPP /CVS/Entries access (server-webapp.rules) * 1:1915 <-> DISABLED <-> PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt (protocol-rpc.rules) * 1:1910 <-> DISABLED <-> PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt (protocol-rpc.rules) * 1:1926 <-> DISABLED <-> PROTOCOL-RPC mountd UDP exportall request (protocol-rpc.rules) * 1:1913 <-> DISABLED <-> PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt (protocol-rpc.rules) * 1:1923 <-> DISABLED <-> PROTOCOL-RPC portmap proxy attempt UDP (protocol-rpc.rules) * 1:1521 <-> DISABLED <-> SERVER-WEBAPP server-status access (server-webapp.rules) * 1:1520 <-> DISABLED <-> SERVER-WEBAPP server-info access (server-webapp.rules) * 1:1911 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt (protocol-rpc.rules) * 1:1957 <-> DISABLED <-> PROTOCOL-RPC sadmind UDP PING (protocol-rpc.rules) * 1:1890 <-> DISABLED <-> PROTOCOL-RPC status GHBN format string attack (protocol-rpc.rules) * 1:1648 <-> DISABLED <-> SERVER-WEBAPP perl.exe command attempt (server-webapp.rules) * 1:1771 <-> DISABLED <-> POLICY-OTHER IPSec PGPNet connection attempt (policy-other.rules) * 1:1660 <-> DISABLED <-> SERVER-IIS trace.axd access (server-iis.rules) * 1:1616 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:1746 <-> DISABLED <-> PROTOCOL-RPC portmap cachefsd request UDP (protocol-rpc.rules) * 1:1649 <-> DISABLED <-> SERVER-WEBAPP perl command attempt (server-webapp.rules) * 1:1732 <-> DISABLED <-> PROTOCOL-RPC portmap rwalld request UDP (protocol-rpc.rules) * 1:1893 <-> DISABLED <-> PROTOCOL-SNMP missing community string attempt (protocol-snmp.rules) * 1:1892 <-> DISABLED <-> PROTOCOL-SNMP null community string attempt (protocol-snmp.rules) * 1:1905 <-> DISABLED <-> PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt (protocol-rpc.rules) * 1:5096 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt (os-windows.rules) * 1:5683 <-> DISABLED <-> NETBIOS SMB Session Setup andx username overflow attempt (netbios.rules) * 1:948 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage form_results access (server-other.rules) * 1:885 <-> DISABLED <-> SERVER-WEBAPP bash access (server-webapp.rules) * 1:9622 <-> DISABLED <-> SERVER-OTHER Spiffit UDP denial of service attempt (server-other.rules) * 1:3541 <-> DISABLED <-> SERVER-OTHER RADIUS ATTR_TYPE_STR overflow attempt (server-other.rules) * 1:516 <-> DISABLED <-> PROTOCOL-SNMP NT UserList (protocol-snmp.rules) * 1:4141 <-> DISABLED <-> SERVER-OTHER tcpdump udp LDP print zero length message denial of service attempt (server-other.rules) * 1:5684 <-> DISABLED <-> NETBIOS SMB Session Setup unicode andx username overflow attempt (netbios.rules)