Talos Rules 2018-02-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-02-15 16:04:40 UTC

Snort Subscriber Rules Update

Date: 2018-02-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules)
 * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules)
 * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
 * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules)
 * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt  (server-other.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules)
 * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)
 * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
 * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules)
 * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)

2018-02-15 16:04:40 UTC

Snort Subscriber Rules Update

Date: 2018-02-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules)
 * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules)
 * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)

Modified Rules:


 * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
 * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt  (server-other.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules)
 * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
 * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
 * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)
 * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)

2018-02-15 16:04:40 UTC

Snort Subscriber Rules Update

Date: 2018-02-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (snort3-server-webapp.rules)
 * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (snort3-server-other.rules)
 * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (snort3-file-image.rules)
 * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (snort3-file-image.rules)
 * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (snort3-file-other.rules)
 * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)

Modified Rules:


 * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (snort3-file-other.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (snort3-file-flash.rules)
 * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (snort3-file-other.rules)
 * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (snort3-protocol-ftp.rules)
 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (snort3-server-webapp.rules)
 * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (snort3-file-flash.rules)
 * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (snort3-file-office.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (snort3-file-pdf.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (snort3-server-webapp.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)
 * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt  (snort3-server-other.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (snort3-file-flash.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (snort3-file-flash.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (snort3-browser-plugins.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (snort3-file-flash.rules)
 * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (snort3-file-office.rules)
 * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (snort3-server-webapp.rules)
 * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (snort3-protocol-ftp.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (snort3-server-webapp.rules)
 * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (snort3-server-webapp.rules)
 * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (snort3-server-webapp.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (snort3-file-pdf.rules)
 * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (snort3-server-webapp.rules)
 * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (snort3-server-webapp.rules)
 * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (snort3-server-webapp.rules)
 * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (snort3-server-webapp.rules)
 * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (snort3-server-webapp.rules)
 * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (snort3-server-webapp.rules)
 * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules)
 * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules)
 * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (snort3-file-office.rules)
 * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (snort3-file-office.rules)
 * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules)
 * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules)
 * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (snort3-indicator-compromise.rules)
 * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (snort3-server-webapp.rules)
 * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (snort3-indicator-compromise.rules)
 * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (snort3-file-flash.rules)
 * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (snort3-file-executable.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (snort3-server-webapp.rules)
 * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (snort3-protocol-ftp.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)

2018-02-15 16:04:40 UTC

Snort Subscriber Rules Update

Date: 2018-02-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules)
 * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules)
 * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules)

Modified Rules:


 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
 * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules)
 * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules)
 * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt  (server-other.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
 * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)

2018-02-15 16:04:40 UTC

Snort Subscriber Rules Update

Date: 2018-02-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45677 <-> ENABLED <-> SERVER-WEBAPP HP IMC mibBrowser arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45676 <-> DISABLED <-> SERVER-WEBAPP PHP php_mime_split multipart file upload buffer overflow attempt (server-webapp.rules)
 * 1:45675 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:45685 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45684 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro BMP out of bounds read attempt (file-image.rules)
 * 1:45683 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45682 <-> ENABLED <-> SERVER-OTHER HP Integrated Lights-Out HTTP headers processing buffer overflow attempt (server-other.rules)
 * 1:45681 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45680 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45679 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)
 * 1:45678 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawString out of bounds read attempt (file-other.rules)

Modified Rules:


 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:45460 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:45493 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:45482 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45481 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45480 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200/r201 directory traversal attempt (server-webapp.rules)
 * 1:45479 <-> ENABLED <-> SERVER-WEBAPP Western Digital MyCloud multi_uploadify.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:45467 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:45466 <-> ENABLED <-> FILE-OFFICE Microsoft Office None type objclass RTF evasion attempt (file-office.rules)
 * 1:45461 <-> DISABLED <-> PROTOCOL-FTP Multiple products FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:45520 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45519 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal object auto update attempt (indicator-compromise.rules)
 * 1:45517 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45516 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45512 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45511 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor Package objclass RTF evasion attempt (file-office.rules)
 * 1:45509 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45508 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:45498 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45497 <-> DISABLED <-> SERVER-WEBAPP Cambium ePMP and cnPilot command execution attempt (server-webapp.rules)
 * 1:45496 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45495 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud getLogs.psp command injection attempt (server-webapp.rules)
 * 1:45494 <-> DISABLED <-> SERVER-WEBAPP Seagate Personal Cloud uploadTelemetry.psp command injection attempt (server-webapp.rules)
 * 1:45547 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
 * 1:45546 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DefineFont3 tag overly large NumGlyphs out of bounds read attempt (file-flash.rules)
 * 1:45526 <-> DISABLED <-> SERVER-WEBAPP AsusWRT vpnupload.cgi unauthenticated NVRAM configuration modification attempt (server-webapp.rules)
 * 1:45558 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
 * 1:45555 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt (server-webapp.rules)
 * 1:45548 <-> ENABLED <-> FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download (file-executable.rules)
 * 1:45591 <-> DISABLED <-> PROTOCOL-FTP LabF nfsAxe FTP Client buffer overflow attempt (protocol-ftp.rules)
 * 1:45559 <-> DISABLED <-> FILE-OTHER Multiple products XML Import Command buffer overflow attempt (file-other.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45592 <-> DISABLED <-> SERVER-WEBAPP Cambium cnPilot r200 and r201 configuration file download attempt (server-webapp.rules)
 * 1:45598 <-> ENABLED <-> SERVER-OTHER Wordpress CMS platform denial of service attempt  (server-other.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:8422 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Office Outlook View OVCtl ActiveX clsid access (browser-plugins.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDM arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)