The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, exploit, exploit-kit, file-identify, file-office, file-other, file-pdf, malware-backdoor, malware-cnc, malware-other, protocol-ftp, protocol-snmp, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31107 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.ru - Win.Trojan.Blackshades (blacklist.rules) * 1:31130 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31128 <-> DISABLED <-> PROTOCOL-FTP CoreFTP FTP Server TYPE command denial of service attempt (protocol-ftp.rules) * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant inbound connection attempt (malware-cnc.rules) * 1:31109 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.info.ovh.net - Win.Trojan.Blackshades (blacklist.rules) * 1:31108 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.info - Win.Trojan.Blackshades (blacklist.rules) * 1:31110 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.no-ip.info - Win.Trojan.Blackshades (blacklist.rules) * 1:31113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules) * 1:31134 <-> ENABLED <-> BLACKLIST DNS request for known malware domain obamasu.webs.com - Win.Trojan.Deedevil (blacklist.rules) * 1:31120 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uol.conhecaauol.com.br - Win.Trojan.Cahecon (blacklist.rules) * 1:31119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marmoolak variant outbound connection (malware-cnc.rules) * 1:31118 <-> ENABLED <-> BLACKLIST DNS request for known malware domain red-move.tk - Win.Trojan.Marmoolak (blacklist.rules) * 1:31117 <-> ENABLED <-> BLACKLIST DNS request for known malware domain download.ustechsupport.com (blacklist.rules) * 1:31116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Garsuni variant outbound connection (malware-cnc.rules) * 1:31115 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bagi.ly - Win.Trojan.Garsuni (blacklist.rules) * 1:31135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Deedevil variant outbound connection (malware-cnc.rules) * 1:31112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos password stealing attempt (malware-cnc.rules) * 1:31111 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.sytes.net - Win.Trojan.Blackshades (blacklist.rules) * 1:31146 <-> DISABLED <-> PUA-ADWARE Win.Adware.iBryte variant outbound connection (pua-adware.rules) * 1:31114 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rfusclient outbound connection attempt (malware-cnc.rules) * 1:31122 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent svchost (blacklist.rules) * 1:31121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cahecon outbound connection (malware-cnc.rules) * 1:31124 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pyrtomsop outbound communication (malware-cnc.rules) * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31129 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Petun variant outbound connection (malware-cnc.rules) * 1:31103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31105 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31106 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31102 <-> DISABLED <-> SERVER-OTHER TrendMicro InterScan Viruswall directory traversal attempt (server-other.rules) * 1:31104 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31101 <-> DISABLED <-> SERVER-OTHER Sharetronix cross site request forgery attempt (server-other.rules) * 1:31098 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series WEP key enumeration attempt (protocol-snmp.rules) * 1:31099 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series WPA key enumeration attempt (protocol-snmp.rules) * 1:31100 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series password enumeration attempt (protocol-snmp.rules) * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series password enumeration attempt (protocol-snmp.rules) * 1:31095 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series WEP key enumeration attempt (protocol-snmp.rules) * 1:31096 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series WPA key enumeration attempt (protocol-snmp.rules) * 1:31136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess inbound communication (malware-cnc.rules) * 1:31133 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fudcrypt.com - Win.Trojan.Deedevil (blacklist.rules) * 1:31138 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dudicalworld.com - Win.Trojan.Sloft (blacklist.rules) * 1:31137 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aisgolf.com - Win.Trojan.Sloft (blacklist.rules) * 1:31140 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nyescortsasianoutcall.com - Win.Trojan.Sloft (blacklist.rules) * 1:31131 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Petun variant outbound connection (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:31142 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sloft variant outbound connection (malware-cnc.rules) * 1:31141 <-> ENABLED <-> BLACKLIST DNS request for known malware domain trinity-electric-inc.com - Win.Trojan.Sloft (blacklist.rules) * 1:31139 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fourchette-des-arenes.com - Win.Trojan.Sloft (blacklist.rules) * 1:31143 <-> ENABLED <-> SERVER-WEBAPP CA ERwin Web Portal ConfigServiceProvider directory traversal attempt (server-webapp.rules)
* 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules) * 1:20481 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:22078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules) * 1:24572 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt (browser-firefox.rules) * 1:24574 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt (browser-firefox.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules) * 1:27702 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules) * 1:28347 <-> DISABLED <-> MALWARE-OTHER SimpleTDS - page redirecting to a SimpleTDS (malware-other.rules) * 1:28348 <-> DISABLED <-> MALWARE-OTHER SimpleTDS - request to go.php (malware-other.rules) * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:29412 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Java download attempt (exploit-kit.rules) * 1:29417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Solimba download attempt (malware-cnc.rules) * 1:30260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection (malware-cnc.rules) * 1:30261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection (malware-cnc.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:30992 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value attempt (file-other.rules) * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value attempt (file-other.rules) * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules) * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31091 <-> ENABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules) * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2960.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31120 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uol.conhecaauol.com.br - Win.Trojan.Cahecon (blacklist.rules) * 1:31119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marmoolak variant outbound connection (malware-cnc.rules) * 1:31118 <-> ENABLED <-> BLACKLIST DNS request for known malware domain red-move.tk - Win.Trojan.Marmoolak (blacklist.rules) * 1:31117 <-> ENABLED <-> BLACKLIST DNS request for known malware domain download.ustechsupport.com (blacklist.rules) * 1:31116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Garsuni variant outbound connection (malware-cnc.rules) * 1:31115 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bagi.ly - Win.Trojan.Garsuni (blacklist.rules) * 1:31105 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31106 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31104 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31101 <-> DISABLED <-> SERVER-OTHER Sharetronix cross site request forgery attempt (server-other.rules) * 1:31102 <-> DISABLED <-> SERVER-OTHER TrendMicro InterScan Viruswall directory traversal attempt (server-other.rules) * 1:31099 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series WPA key enumeration attempt (protocol-snmp.rules) * 1:31100 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series password enumeration attempt (protocol-snmp.rules) * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series password enumeration attempt (protocol-snmp.rules) * 1:31098 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series WEP key enumeration attempt (protocol-snmp.rules) * 1:31095 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series WEP key enumeration attempt (protocol-snmp.rules) * 1:31096 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series WPA key enumeration attempt (protocol-snmp.rules) * 1:31108 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.info - Win.Trojan.Blackshades (blacklist.rules) * 1:31109 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.info.ovh.net - Win.Trojan.Blackshades (blacklist.rules) * 1:31110 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.no-ip.info - Win.Trojan.Blackshades (blacklist.rules) * 1:31113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules) * 1:31114 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rfusclient outbound connection attempt (malware-cnc.rules) * 1:31121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cahecon outbound connection (malware-cnc.rules) * 1:31122 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent svchost (blacklist.rules) * 1:31123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant inbound connection attempt (malware-cnc.rules) * 1:31124 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pyrtomsop outbound communication (malware-cnc.rules) * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31128 <-> DISABLED <-> PROTOCOL-FTP CoreFTP FTP Server TYPE command denial of service attempt (protocol-ftp.rules) * 1:31130 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31129 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31131 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Petun variant outbound connection (malware-cnc.rules) * 1:31132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Petun variant outbound connection (malware-cnc.rules) * 1:31133 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fudcrypt.com - Win.Trojan.Deedevil (blacklist.rules) * 1:31135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Deedevil variant outbound connection (malware-cnc.rules) * 1:31134 <-> ENABLED <-> BLACKLIST DNS request for known malware domain obamasu.webs.com - Win.Trojan.Deedevil (blacklist.rules) * 1:31136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess inbound communication (malware-cnc.rules) * 1:31137 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aisgolf.com - Win.Trojan.Sloft (blacklist.rules) * 1:31138 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dudicalworld.com - Win.Trojan.Sloft (blacklist.rules) * 1:31140 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nyescortsasianoutcall.com - Win.Trojan.Sloft (blacklist.rules) * 1:31139 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fourchette-des-arenes.com - Win.Trojan.Sloft (blacklist.rules) * 1:31146 <-> DISABLED <-> PUA-ADWARE Win.Adware.iBryte variant outbound connection (pua-adware.rules) * 1:31111 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.sytes.net - Win.Trojan.Blackshades (blacklist.rules) * 1:31112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos password stealing attempt (malware-cnc.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:31143 <-> ENABLED <-> SERVER-WEBAPP CA ERwin Web Portal ConfigServiceProvider directory traversal attempt (server-webapp.rules) * 1:31107 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.ru - Win.Trojan.Blackshades (blacklist.rules) * 1:31141 <-> ENABLED <-> BLACKLIST DNS request for known malware domain trinity-electric-inc.com - Win.Trojan.Sloft (blacklist.rules) * 1:31142 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sloft variant outbound connection (malware-cnc.rules)
* 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules) * 1:20481 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:22078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules) * 1:24572 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt (browser-firefox.rules) * 1:24574 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt (browser-firefox.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules) * 1:27702 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules) * 1:28347 <-> DISABLED <-> MALWARE-OTHER SimpleTDS - page redirecting to a SimpleTDS (malware-other.rules) * 1:28348 <-> DISABLED <-> MALWARE-OTHER SimpleTDS - request to go.php (malware-other.rules) * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:29412 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Java download attempt (exploit-kit.rules) * 1:29417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Solimba download attempt (malware-cnc.rules) * 1:30260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection (malware-cnc.rules) * 1:30261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection (malware-cnc.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:30992 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value attempt (file-other.rules) * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value attempt (file-other.rules) * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules) * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31091 <-> ENABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules) * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:31146 <-> DISABLED <-> PUA-ADWARE Win.Adware.iBryte variant outbound connection (pua-adware.rules) * 1:31145 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response (malware-cnc.rules) * 1:31144 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive (malware-cnc.rules) * 1:31143 <-> ENABLED <-> SERVER-WEBAPP CA ERwin Web Portal ConfigServiceProvider directory traversal attempt (server-webapp.rules) * 1:31142 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sloft variant outbound connection (malware-cnc.rules) * 1:31141 <-> ENABLED <-> BLACKLIST DNS request for known malware domain trinity-electric-inc.com - Win.Trojan.Sloft (blacklist.rules) * 1:31140 <-> ENABLED <-> BLACKLIST DNS request for known malware domain nyescortsasianoutcall.com - Win.Trojan.Sloft (blacklist.rules) * 1:31139 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fourchette-des-arenes.com - Win.Trojan.Sloft (blacklist.rules) * 1:31138 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dudicalworld.com - Win.Trojan.Sloft (blacklist.rules) * 1:31137 <-> ENABLED <-> BLACKLIST DNS request for known malware domain aisgolf.com - Win.Trojan.Sloft (blacklist.rules) * 1:31136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeroAccess inbound communication (malware-cnc.rules) * 1:31135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Deedevil variant outbound connection (malware-cnc.rules) * 1:31134 <-> ENABLED <-> BLACKLIST DNS request for known malware domain obamasu.webs.com - Win.Trojan.Deedevil (blacklist.rules) * 1:31133 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fudcrypt.com - Win.Trojan.Deedevil (blacklist.rules) * 1:31132 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Petun variant outbound connection (malware-cnc.rules) * 1:31131 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Petun variant outbound connection (malware-cnc.rules) * 1:31130 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31129 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit encrypted binary download (exploit-kit.rules) * 1:31128 <-> DISABLED <-> PROTOCOL-FTP CoreFTP FTP Server TYPE command denial of service attempt (protocol-ftp.rules) * 1:31127 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31126 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31125 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:31124 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pyrtomsop outbound communication (malware-cnc.rules) * 1:31123 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant inbound connection attempt (malware-cnc.rules) * 1:31122 <-> ENABLED <-> BLACKLIST User-Agent known malicious user agent - User-Agent svchost (blacklist.rules) * 1:31121 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cahecon outbound connection (malware-cnc.rules) * 1:31120 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uol.conhecaauol.com.br - Win.Trojan.Cahecon (blacklist.rules) * 1:31119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Marmoolak variant outbound connection (malware-cnc.rules) * 1:31118 <-> ENABLED <-> BLACKLIST DNS request for known malware domain red-move.tk - Win.Trojan.Marmoolak (blacklist.rules) * 1:31117 <-> ENABLED <-> BLACKLIST DNS request for known malware domain download.ustechsupport.com (blacklist.rules) * 1:31116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Garsuni variant outbound connection (malware-cnc.rules) * 1:31115 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bagi.ly - Win.Trojan.Garsuni (blacklist.rules) * 1:31114 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rfusclient outbound connection attempt (malware-cnc.rules) * 1:31113 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos variant outbound connection attempt (malware-cnc.rules) * 1:31112 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bancos password stealing attempt (malware-cnc.rules) * 1:31111 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.sytes.net - Win.Trojan.Blackshades (blacklist.rules) * 1:31110 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.no-ip.info - Win.Trojan.Blackshades (blacklist.rules) * 1:31109 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.info.ovh.net - Win.Trojan.Blackshades (blacklist.rules) * 1:31108 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.info - Win.Trojan.Blackshades (blacklist.rules) * 1:31107 <-> ENABLED <-> BLACKLIST DNS request for known malware domain blackshades.ru - Win.Trojan.Blackshades (blacklist.rules) * 1:31106 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31105 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31104 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules) * 1:31102 <-> DISABLED <-> SERVER-OTHER TrendMicro InterScan Viruswall directory traversal attempt (server-other.rules) * 1:31101 <-> DISABLED <-> SERVER-OTHER Sharetronix cross site request forgery attempt (server-other.rules) * 1:31100 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series password enumeration attempt (protocol-snmp.rules) * 1:31099 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series WPA key enumeration attempt (protocol-snmp.rules) * 1:31098 <-> DISABLED <-> PROTOCOL-SNMP Ubee U10C019 series WEP key enumeration attempt (protocol-snmp.rules) * 1:31097 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series password enumeration attempt (protocol-snmp.rules) * 1:31096 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series WPA key enumeration attempt (protocol-snmp.rules) * 1:31095 <-> DISABLED <-> PROTOCOL-SNMP Ubee DDW3611 series WEP key enumeration attempt (protocol-snmp.rules)
* 1:19049 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Gigade variant outbound connection attempt (malware-cnc.rules) * 1:20481 <-> ENABLED <-> FILE-IDENTIFY MP3 file magic detected (file-identify.rules) * 1:20534 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:22078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules) * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules) * 1:24572 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt (browser-firefox.rules) * 1:24574 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDB use-after-free attempt (browser-firefox.rules) * 1:27538 <-> DISABLED <-> MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name (malware-other.rules) * 1:27702 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit landing page (exploit-kit.rules) * 1:28347 <-> DISABLED <-> MALWARE-OTHER SimpleTDS - page redirecting to a SimpleTDS (malware-other.rules) * 1:28348 <-> DISABLED <-> MALWARE-OTHER SimpleTDS - request to go.php (malware-other.rules) * 1:28549 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:28550 <-> DISABLED <-> FILE-OFFICE Microsoft Excel rtToolbarDef record integer overflow attempt (file-office.rules) * 1:29412 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit Java download attempt (exploit-kit.rules) * 1:29417 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Solimba download attempt (malware-cnc.rules) * 1:30260 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection (malware-cnc.rules) * 1:30261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mudrop variant outbound connection (malware-cnc.rules) * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules) * 1:30992 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value attempt (file-other.rules) * 1:30993 <-> DISABLED <-> FILE-OTHER invalid ELF padding field value attempt (file-other.rules) * 1:31015 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules) * 1:31016 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader integer overflow attempt (file-pdf.rules) * 1:31046 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound URL structure (exploit-kit.rules) * 1:31091 <-> ENABLED <-> PUA-ADWARE Win.Adware.Inbox/PCFixSpeed/RebateInformer variant outbound connection (pua-adware.rules) * 3:15848 <-> ENABLED <-> EXPLOIT WINS replication request memory corruption attempt (exploit.rules)
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
