Talos has added and modified multiple rules in the browser-ie, browser-plugins, browser-webkit, file-identify, file-multimedia, file-other, indicator-shellcode, malware-cnc, policy-other, protocol-dns, protocol-other, server-iis, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules) * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules) * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules) * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules) * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules) * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules) * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules) * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules)
* 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules) * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules) * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules) * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules) * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules) * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules) * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules) * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules) * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules) * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules) * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules) * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules) * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules) * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules) * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules) * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules) * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules) * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules) * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules) * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules) * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules) * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules) * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules) * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules) * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules) * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules) * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)
* 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules) * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules) * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules) * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules) * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules) * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules) * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules) * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules) * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules) * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules) * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules) * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules) * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules) * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules) * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules) * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules) * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules) * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules) * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules) * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules) * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules) * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules) * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules) * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules) * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules) * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules) * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
* 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules) * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules) * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules) * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules) * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules) * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules) * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules) * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules) * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules) * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules) * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules) * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules) * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules) * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules) * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules) * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules) * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules) * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules) * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules) * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules) * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules) * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules) * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules) * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules) * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules) * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)
* 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules) * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules) * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules) * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules) * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules) * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules) * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules) * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules) * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules) * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules) * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules) * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules) * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules) * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules) * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules) * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules) * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules) * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (snort3-server-other.rules) * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules) * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (snort3-server-other.rules) * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (snort3-server-other.rules) * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (snort3-server-webapp.rules) * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (snort3-server-webapp.rules) * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (snort3-server-webapp.rules) * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules) * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules) * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules) * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules) * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules) * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules) * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules) * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules) * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (snort3-server-webapp.rules) * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules) * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (snort3-server-webapp.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules) * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (snort3-malware-cnc.rules) * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (snort3-malware-cnc.rules) * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules)
* 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (snort3-file-identify.rules) * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (snort3-server-iis.rules) * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (snort3-browser-plugins.rules) * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (snort3-protocol-dns.rules) * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (snort3-browser-plugins.rules) * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (snort3-file-multimedia.rules) * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (snort3-browser-plugins.rules) * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules) * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules) * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (snort3-server-iis.rules) * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules) * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (snort3-browser-plugins.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (snort3-malware-cnc.rules) * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (snort3-indicator-shellcode.rules) * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (snort3-browser-plugins.rules) * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (snort3-browser-plugins.rules) * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (snort3-indicator-shellcode.rules) * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (snort3-protocol-dns.rules) * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (snort3-browser-plugins.rules) * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (snort3-policy-other.rules) * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (snort3-server-mail.rules) * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules) * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (snort3-browser-plugins.rules) * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (snort3-browser-webkit.rules) * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (snort3-protocol-dns.rules) * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules) * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (snort3-browser-plugins.rules) * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (snort3-server-iis.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules) * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules) * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules) * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules) * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules) * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules) * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules) * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules) * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
* 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules) * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules) * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules) * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules) * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules) * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules) * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules) * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules) * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules) * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules) * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules) * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules) * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules) * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules) * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules) * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules) * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules) * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules) * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules) * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules) * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules) * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules) * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules) * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules) * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules) * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules) * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules) * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules) * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules) * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules) * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules) * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules) * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules) * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules) * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
* 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules) * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules) * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules) * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules) * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules) * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules) * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules) * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules) * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules) * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules) * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules) * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules) * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules) * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules) * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules) * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules) * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules) * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules) * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules) * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules) * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules) * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules) * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules) * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules) * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules) * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules) * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
