Talos has added and modified multiple rules in the file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules) * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules) * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules) * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules) * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules) * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (snort3-file-other.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (snort3-policy-other.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (snort3-server-webapp.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (snort3-malware-cnc.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (snort3-policy-other.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (snort3-malware-cnc.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (snort3-policy-other.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (snort3-malware-cnc.rules) * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules) * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (snort3-server-webapp.rules) * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (snort3-server-webapp.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (snort3-server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (snort3-server-webapp.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (snort3-server-webapp.rules) * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (snort3-server-webapp.rules) * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (snort3-server-webapp.rules) * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (snort3-malware-cnc.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (snort3-server-webapp.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (snort3-server-webapp.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (snort3-server-webapp.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (snort3-file-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (snort3-server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules) * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules) * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:52258 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52259 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52278 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52277 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS command injection attempt (server-webapp.rules) * 1:52280 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS admin default credentials login attempt (policy-other.rules) * 1:52255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerShell variant outbound connection (malware-cnc.rules) * 1:52272 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52273 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52271 <-> DISABLED <-> SERVER-WEBAPP Joomla Jimtawl id parameter SQL injection attempt (server-webapp.rules) * 1:52263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52262 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52254 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52281 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52279 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52266 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin direct access server deletion attempt (server-webapp.rules) * 1:52267 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 1:52276 <-> DISABLED <-> SERVER-WEBAPP Shenzhen TVT Digital Technology API OS buffer overflow attempt (server-webapp.rules) * 1:52268 <-> DISABLED <-> SERVER-WEBAPP OpenMRS insecure object deserialization attempt (server-webapp.rules) * 1:52261 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52253 <-> DISABLED <-> FILE-OTHER libexpat internal entity heap over-read attempt (file-other.rules) * 1:52260 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52282 <-> DISABLED <-> POLICY-OTHER Shenzhen TVT Digital Technology API OS telnet root default credentials login attempt (policy-other.rules) * 1:52256 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules) * 1:52257 <-> ENABLED <-> MALWARE-CNC Js.Trojan.FakeUpdate outbound connection (malware-cnc.rules) * 1:52264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex variant inbound connection (malware-cnc.rules) * 1:52265 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin delete server cross-site request forgery attempt (server-webapp.rules) * 3:52274 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules) * 3:52275 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0951 attack attempt (policy-other.rules) * 3:52270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0957 attack attempt (file-other.rules)
* 1:29603 <-> DISABLED <-> SERVER-OTHER HP Data Protector Backup Client Service code execution attempt (server-other.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
