Talos Rules 2017-08-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, deleted, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, os-windows, policy-other, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-08-29 14:45:27 UTC

Snort Subscriber Rules Update

Date: 2017-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:44176 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:44141 <-> DISABLED <-> DELETED 29f38b151db94ae1b0364c9a3b4d954b (deleted.rules)
 * 1:44140 <-> DISABLED <-> DELETED 465b8d28677d4df9bef9b0b97b2c3609 (deleted.rules)
 * 1:44136 <-> DISABLED <-> DELETED 063fff0fd7d044aa8e84dcf39540e3b5 (deleted.rules)
 * 1:44134 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules)
 * 1:44135 <-> DISABLED <-> DELETED 1c6ff935b28d41ea85a64ad5542bb3a3 (deleted.rules)
 * 1:44132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44133 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules)
 * 1:44130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44128 <-> DISABLED <-> FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt (file-image.rules)
 * 1:44129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44124 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules)
 * 1:44123 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44188 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44175 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules)
 * 1:44177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber variant outbound connection (malware-cnc.rules)
 * 1:44182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules)
 * 1:44137 <-> DISABLED <-> DELETED 0ae3e21bb5d8420084dca51ec5435eb6 (deleted.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44138 <-> DISABLED <-> DELETED 84e2cc2e73f840618c410775a5e4dbe1 (deleted.rules)
 * 1:44139 <-> DISABLED <-> DELETED 71126c2c90c941f5b28b67bd85addb2f (deleted.rules)
 * 1:44143 <-> DISABLED <-> SERVER-OTHER LCDproc test_func format string code execution attempt (server-other.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules)
 * 1:44148 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules)
 * 1:44150 <-> DISABLED <-> SERVER-WEBAPP IBM Websphere cross site scripting attempt (server-webapp.rules)
 * 1:44151 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:44153 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules)
 * 1:44154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules)
 * 1:44155 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules)
 * 1:44156 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules)
 * 1:44157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt (file-office.rules)
 * 1:44158 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules)
 * 1:44159 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules)
 * 1:44165 <-> ENABLED <-> SERVER-WEBAPP websocket protocol upgrade request detected (server-webapp.rules)
 * 1:44160 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules)
 * 1:44161 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules)
 * 1:44185 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:44171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zurgop variant outbound beaconing connection (malware-cnc.rules)
 * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 3:44187 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules)
 * 3:44186 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules)
 * 3:44168 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules)
 * 3:44178 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules)
 * 3:44179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules)
 * 3:44167 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules)
 * 3:44163 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules)
 * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules)
 * 3:44164 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules)
 * 3:44162 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0422 attack attempt (policy-other.rules)
 * 3:44126 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44127 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44142 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0424 attack attempt (policy-other.rules)
 * 3:44125 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44106 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)
 * 3:44107 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)

Modified Rules:


 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:11836 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:13964 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules)
 * 1:29534 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:26089 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules)
 * 1:33858 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules)
 * 1:42944 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:41978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)

2017-08-29 14:45:27 UTC

Snort Subscriber Rules Update

Date: 2017-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44165 <-> ENABLED <-> SERVER-WEBAPP websocket protocol upgrade request detected (server-webapp.rules)
 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44143 <-> DISABLED <-> SERVER-OTHER LCDproc test_func format string code execution attempt (server-other.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44141 <-> DISABLED <-> DELETED 29f38b151db94ae1b0364c9a3b4d954b (deleted.rules)
 * 1:44137 <-> DISABLED <-> DELETED 0ae3e21bb5d8420084dca51ec5435eb6 (deleted.rules)
 * 1:44138 <-> DISABLED <-> DELETED 84e2cc2e73f840618c410775a5e4dbe1 (deleted.rules)
 * 1:44136 <-> DISABLED <-> DELETED 063fff0fd7d044aa8e84dcf39540e3b5 (deleted.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44123 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules)
 * 1:44124 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules)
 * 1:44128 <-> DISABLED <-> FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt (file-image.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44133 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules)
 * 1:44134 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules)
 * 1:44135 <-> DISABLED <-> DELETED 1c6ff935b28d41ea85a64ad5542bb3a3 (deleted.rules)
 * 1:44139 <-> DISABLED <-> DELETED 71126c2c90c941f5b28b67bd85addb2f (deleted.rules)
 * 1:44140 <-> DISABLED <-> DELETED 465b8d28677d4df9bef9b0b97b2c3609 (deleted.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44148 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules)
 * 1:44149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules)
 * 1:44150 <-> DISABLED <-> SERVER-WEBAPP IBM Websphere cross site scripting attempt (server-webapp.rules)
 * 1:44151 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:44153 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules)
 * 1:44154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules)
 * 1:44155 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules)
 * 1:44156 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules)
 * 1:44157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt (file-office.rules)
 * 1:44158 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules)
 * 1:44159 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules)
 * 1:44160 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules)
 * 1:44161 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules)
 * 1:44188 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules)
 * 1:44185 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:44184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:44183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules)
 * 1:44182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber variant outbound connection (malware-cnc.rules)
 * 1:44176 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules)
 * 1:44175 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules)
 * 1:44174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:44173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:44171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zurgop variant outbound beaconing connection (malware-cnc.rules)
 * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 3:44187 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules)
 * 3:44179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules)
 * 3:44186 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules)
 * 3:44168 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules)
 * 3:44178 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules)
 * 3:44167 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules)
 * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules)
 * 3:44164 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules)
 * 3:44162 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0422 attack attempt (policy-other.rules)
 * 3:44163 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules)
 * 3:44127 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44142 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0424 attack attempt (policy-other.rules)
 * 3:44125 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44126 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44106 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)
 * 3:44107 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)

Modified Rules:


 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules)
 * 1:41978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:33858 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:13964 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules)
 * 1:26089 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:11836 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:42944 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:29534 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules)

2017-08-29 14:45:27 UTC

Snort Subscriber Rules Update

Date: 2017-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44188 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules)
 * 1:44185 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:44184 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:44183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules)
 * 1:44182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file integer overflow attempt (file-office.rules)
 * 1:44181 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44180 <-> DISABLED <-> FILE-OTHER Bluezone Desktop buffer overflow attempt (file-other.rules)
 * 1:44177 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber variant outbound connection (malware-cnc.rules)
 * 1:44176 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules)
 * 1:44175 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder runscript.php arbitrary file include attempt (server-webapp.rules)
 * 1:44174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:44173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:44172 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious dynamic http link creation attempt (indicator-obfuscation.rules)
 * 1:44171 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zurgop variant outbound beaconing connection (malware-cnc.rules)
 * 1:44170 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44169 <-> DISABLED <-> FILE-PDF Adobe Professional JPEG ICC profile heap overflow attempt (file-pdf.rules)
 * 1:44165 <-> ENABLED <-> SERVER-WEBAPP websocket protocol upgrade request detected (server-webapp.rules)
 * 1:44161 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules)
 * 1:44160 <-> ENABLED <-> SERVER-OTHER tcpdump ISAKMP parser buffer overflow attempt (server-other.rules)
 * 1:44159 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules)
 * 1:44158 <-> DISABLED <-> FILE-OTHER Microsoft Windows Media Player malformed au denial of service attempt (file-other.rules)
 * 1:44157 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rich text format invalid field size memory corruption attempt (file-office.rules)
 * 1:44156 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules)
 * 1:44155 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMPQ denial of service attempt (server-apache.rules)
 * 1:44154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules)
 * 1:44153 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameBorder denial of service attempt (browser-ie.rules)
 * 1:44152 <-> DISABLED <-> SERVER-OTHER Multmedia Builder MEF buffer overflow attempt (server-other.rules)
 * 1:44151 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules)
 * 1:44150 <-> DISABLED <-> SERVER-WEBAPP IBM Websphere cross site scripting attempt (server-webapp.rules)
 * 1:44149 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules)
 * 1:44148 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed loop denial of service attempt (browser-ie.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44145 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44144 <-> ENABLED <-> FILE-PDF Adobe Reader XFA event use after free attempt (file-pdf.rules)
 * 1:44143 <-> DISABLED <-> SERVER-OTHER LCDproc test_func format string code execution attempt (server-other.rules)
 * 1:44141 <-> DISABLED <-> DELETED 29f38b151db94ae1b0364c9a3b4d954b (deleted.rules)
 * 1:44140 <-> DISABLED <-> DELETED 465b8d28677d4df9bef9b0b97b2c3609 (deleted.rules)
 * 1:44139 <-> DISABLED <-> DELETED 71126c2c90c941f5b28b67bd85addb2f (deleted.rules)
 * 1:44138 <-> DISABLED <-> DELETED 84e2cc2e73f840618c410775a5e4dbe1 (deleted.rules)
 * 1:44137 <-> DISABLED <-> DELETED 0ae3e21bb5d8420084dca51ec5435eb6 (deleted.rules)
 * 1:44136 <-> DISABLED <-> DELETED 063fff0fd7d044aa8e84dcf39540e3b5 (deleted.rules)
 * 1:44135 <-> DISABLED <-> DELETED 1c6ff935b28d41ea85a64ad5542bb3a3 (deleted.rules)
 * 1:44134 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules)
 * 1:44133 <-> DISABLED <-> SERVER-WEBAPP OPENi-CMS Seitenschutz plugin remote file include attempt (server-webapp.rules)
 * 1:44132 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44131 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44130 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Metafile invalid header size integer overflow attempt (os-windows.rules)
 * 1:44128 <-> DISABLED <-> FILE-IMAGE Microsoft Windows metafile SetPaletteEntries heap overflow attempt (file-image.rules)
 * 1:44124 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules)
 * 1:44123 <-> DISABLED <-> FILE-OTHER EMF EMR_EXTTEXTOUTW record memory corruption attempt (file-other.rules)
 * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44120 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44119 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record crash attempt (file-other.rules)
 * 1:44118 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44117 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44116 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway localBackupFileSelection command injection attempt (server-webapp.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44111 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44110 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 3:44186 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules)
 * 3:44187 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0425 attack attempt (file-other.rules)
 * 3:44178 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules)
 * 3:44179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0427 attack attempt (file-image.rules)
 * 3:44167 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules)
 * 3:44168 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0412 attack attempt (file-image.rules)
 * 3:44164 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules)
 * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules)
 * 3:44162 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0422 attack attempt (policy-other.rules)
 * 3:44163 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0426 attack attempt (file-office.rules)
 * 3:44127 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44142 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0424 attack attempt (policy-other.rules)
 * 3:44126 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44107 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)
 * 3:44125 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration logconfigtracer directory traversal attempt (server-webapp.rules)
 * 3:44106 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0417 attack attempt (file-office.rules)

Modified Rules:


 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:42944 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:41978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:32240 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules)
 * 1:33858 <-> DISABLED <-> SERVER-OTHER rsyslog remote PRI out of bounds attempt (server-other.rules)
 * 1:26089 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:29534 <-> DISABLED <-> PROTOCOL-SCADA CODESYS Gateway-Server invalid memory access attempt (protocol-scada.rules)
 * 1:13964 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption attempt (browser-ie.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:11836 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio version number anomaly (file-office.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)