Talos has added and modified multiple rules in the browser-webkit, file-identify, file-image, file-other, malware-cnc, malware-tools, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules) * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules) * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules) * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
* 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules) * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules) * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules) * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules) * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules) * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules) * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
* 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules) * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules) * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules) * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules) * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)
* 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules) * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules) * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules) * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules) * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
* 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules) * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules) * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules) * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules) * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules) * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules) * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
* 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules) * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules) * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules) * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (snort3-policy-other.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (snort3-server-webapp.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (snort3-server-webapp.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (snort3-server-mail.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (snort3-server-mail.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (snort3-server-mail.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (snort3-policy-other.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (snort3-policy-other.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (snort3-file-identify.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (snort3-file-identify.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (snort3-file-identify.rules) * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (snort3-server-other.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (snort3-browser-webkit.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (snort3-server-other.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (snort3-policy-other.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (snort3-server-webapp.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (snort3-malware-cnc.rules) * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (snort3-file-other.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (snort3-file-other.rules) * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (snort3-file-other.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (snort3-file-other.rules) * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (snort3-server-webapp.rules) * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (snort3-browser-webkit.rules)
* 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (snort3-server-other.rules) * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (snort3-server-webapp.rules) * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (snort3-server-webapp.rules) * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (snort3-server-other.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (snort3-server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules) * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules) * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
* 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules) * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules) * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules) * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules) * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules) * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules) * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules) * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules) * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules) * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules) * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules) * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules) * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules) * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules) * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules) * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules) * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules) * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules) * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules) * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules) * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules) * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules) * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules) * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules) * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules) * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules) * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules) * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules) * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
* 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules) * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules) * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules) * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
