Talos has added and modified multiple rules in the browser-ie, exploit-kit, indicator-obfuscation, indicator-shellcode, malware-cnc, netbios, protocol-dns, protocol-voip, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
* 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
* 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
* 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
* 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
* 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
* 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
* 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
* 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
* 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (snort3-protocol-dns.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules) * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (snort3-server-webapp.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (snort3-indicator-obfuscation.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (snort3-indicator-shellcode.rules)
* 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (snort3-server-webapp.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (snort3-malware-cnc.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (snort3-exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (snort3-exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (snort3-malware-cnc.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (snort3-exploit-kit.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (snort3-exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (snort3-exploit-kit.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (snort3-exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (snort3-exploit-kit.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (snort3-server-oracle.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (snort3-exploit-kit.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (snort3-malware-cnc.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (snort3-exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (snort3-exploit-kit.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (snort3-exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (snort3-exploit-kit.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (snort3-exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (snort3-exploit-kit.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (snort3-exploit-kit.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (snort3-protocol-voip.rules) * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (snort3-exploit-kit.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (snort3-exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (snort3-exploit-kit.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (snort3-exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (snort3-exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (snort3-exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (snort3-exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (snort3-exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (snort3-exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (snort3-exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules) * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules) * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules) * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules) * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules) * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
* 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules) * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules) * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules) * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules) * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules) * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules) * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules) * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules) * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules) * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules) * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules) * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules) * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules) * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules) * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules) * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules) * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules) * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules) * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules) * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules) * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules) * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules) * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules) * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules) * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules) * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules) * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules) * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules) * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
