Talos Rules 2018-03-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, file-other, file-pdf, malware-cnc, malware-other, malware-tools, policy-other, protocol-ftp, pua-other, server-iis, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-03-06 15:14:08 UTC

Snort Subscriber Rules Update

Date: 2018-03-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules)
 * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules)
 * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules)
 * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules)
 * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules)
 * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules)
 * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules)
 * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules)
 * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules)
 * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules)
 * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules)
 * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
 * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
 * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules)
 * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
 * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)
 * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)

2018-03-06 15:14:08 UTC

Snort Subscriber Rules Update

Date: 2018-03-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules)
 * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules)
 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules)
 * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules)
 * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules)
 * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules)
 * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules)
 * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules)
 * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules)
 * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules)
 * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules)
 * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
 * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules)
 * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
 * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
 * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)

2018-03-06 15:14:08 UTC

Snort Subscriber Rules Update

Date: 2018-03-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules)
 * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (snort3-file-other.rules)
 * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (snort3-server-mysql.rules)
 * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (snort3-server-oracle.rules)
 * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules)
 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (snort3-malware-cnc.rules)
 * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (snort3-server-mysql.rules)
 * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (snort3-malware-cnc.rules)
 * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (snort3-server-webapp.rules)
 * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (snort3-malware-cnc.rules)
 * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (snort3-file-other.rules)
 * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules)
 * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (snort3-malware-other.rules)
 * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules)
 * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (snort3-server-mysql.rules)
 * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (snort3-protocol-ftp.rules)
 * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (snort3-malware-other.rules)
 * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (snort3-server-mysql.rules)
 * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (snort3-server-mysql.rules)
 * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules)
 * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules)
 * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules)
 * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (snort3-server-other.rules)
 * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules)
 * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (snort3-server-webapp.rules)
 * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (snort3-malware-tools.rules)
 * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (snort3-file-other.rules)
 * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (snort3-pua-other.rules)

Modified Rules:


 * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (snort3-server-iis.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (snort3-server-webapp.rules)
 * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules)
 * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules)
 * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (snort3-server-oracle.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (snort3-malware-cnc.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules)
 * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules)
 * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (snort3-policy-other.rules)
 * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (snort3-policy-other.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (snort3-browser-other.rules)

2018-03-06 15:14:08 UTC

Snort Subscriber Rules Update

Date: 2018-03-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules)
 * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules)
 * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules)
 * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45839 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules)
 * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules)
 * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules)
 * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules)
 * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules)
 * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules)
 * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules)
 * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45838 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (file-other.rules)
 * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
 * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
 * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
 * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
 * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules)

Modified Rules:


 * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)
 * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)

2018-03-06 15:14:08 UTC

Snort Subscriber Rules Update

Date: 2018-03-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45817 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45818 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt (malware-other.rules)
 * 1:45825 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:45847 <-> DISABLED <-> SERVER-MYSQL UDF function create attempt (server-mysql.rules)
 * 1:45848 <-> DISABLED <-> SERVER-MYSQL UDF function drop attempt (server-mysql.rules)
 * 1:45843 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45846 <-> DISABLED <-> SERVER-MYSQL UDF function check attempt (server-mysql.rules)
 * 1:45826 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45816 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos (malware-cnc.rules)
 * 1:45837 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server arbitrary JSP file upload attempt (server-oracle.rules)
 * 1:45844 <-> DISABLED <-> SERVER-MYSQL into dumpfile function attempt (server-mysql.rules)
 * 1:45827 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smominru outbound call (malware-cnc.rules)
 * 1:45845 <-> DISABLED <-> SERVER-MYSQL UDF system access attempt (server-mysql.rules)
 * 1:45828 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 1:45830 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45831 <-> DISABLED <-> MALWARE-TOOLS TLS-Attacker tool connection attempt - known SSL client random (malware-tools.rules)
 * 1:45840 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45842 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45835 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45834 <-> DISABLED <-> SERVER-WEBAPP /bin/sh access (server-webapp.rules)
 * 1:45841 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Open WebMail userstat.pl command injection attempt (server-webapp.rules)
 * 1:45836 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 3:45832 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
 * 3:45829 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0535 attack attempt (server-other.rules)
 * 3:45833 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager appuserFindList.do SQL injection attempt (server-webapp.rules)
 * 3:45823 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)
 * 3:45824 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0536 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:45267 <-> ENABLED <-> POLICY-OTHER CoinHive Miner Javascript library download detected (policy-other.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:45302 <-> DISABLED <-> BROWSER-OTHER Multiple browser long unicode string denial of service attempt (browser-other.rules)
 * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:45268 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:45266 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:23626 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER CoinHive Miner client detected (policy-other.rules)
 * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)