Talos Rules 2018-03-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-office, file-other, malware-cnc, policy-other, protocol-other, protocol-snmp, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-03-29 17:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46112 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46107 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46106 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:46099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Modimer Trojanized MediaGet outbound connection (malware-cnc.rules)
 * 1:46098 <-> DISABLED <-> PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt (protocol-other.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46118 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46117 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46116 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 1:46115 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 1:46114 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46113 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 3:46109 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46111 <-> ENABLED <-> SERVER-OTHER Cisco IOS Adaptive QoS message parsing stack buffer overflow attempt (server-other.rules)
 * 3:46110 <-> ENABLED <-> SERVER-OTHER Cisco ASR1001 IKEv2 memory leak attempt (server-other.rules)
 * 3:46095 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE default one-time password login detected (policy-other.rules)
 * 3:46127 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46126 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46125 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKEv1 payload denial of service attempt (server-other.rules)
 * 3:46120 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay integer underflow attempt (server-other.rules)
 * 3:46119 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay reply integer underflow attempt (server-other.rules)
 * 3:46096 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message memory corruption or denial of service attempt (server-other.rules)
 * 3:46097 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message denial of service attempt (server-other.rules)
 * 3:46101 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP ciscoFlashFileEntry OID denial of service attempt (protocol-snmp.rules)
 * 3:46102 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46103 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46104 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay agent information memory corruption attempt (server-other.rules)
 * 3:46105 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP natPoolRange OID denial of service attempt (protocol-snmp.rules)
 * 3:46108 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46128 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:18955 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:18956 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:11987 <-> DISABLED <-> PROTOCOL-VOIP Via header format string attempt (protocol-voip.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)

2018-03-29 17:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46116 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46117 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46115 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 1:46118 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46114 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46112 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46113 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46106 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46107 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:46099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Modimer Trojanized MediaGet outbound connection (malware-cnc.rules)
 * 1:46098 <-> DISABLED <-> PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt (protocol-other.rules)
 * 3:46095 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE default one-time password login detected (policy-other.rules)
 * 3:46110 <-> ENABLED <-> SERVER-OTHER Cisco ASR1001 IKEv2 memory leak attempt (server-other.rules)
 * 3:46109 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46111 <-> ENABLED <-> SERVER-OTHER Cisco IOS Adaptive QoS message parsing stack buffer overflow attempt (server-other.rules)
 * 3:46096 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message memory corruption or denial of service attempt (server-other.rules)
 * 3:46128 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46127 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46119 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay reply integer underflow attempt (server-other.rules)
 * 3:46108 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46104 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay agent information memory corruption attempt (server-other.rules)
 * 3:46105 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP natPoolRange OID denial of service attempt (protocol-snmp.rules)
 * 3:46102 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46103 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46101 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP ciscoFlashFileEntry OID denial of service attempt (protocol-snmp.rules)
 * 3:46097 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message denial of service attempt (server-other.rules)
 * 3:46125 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKEv1 payload denial of service attempt (server-other.rules)
 * 3:46126 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46120 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay integer underflow attempt (server-other.rules)

Modified Rules:


 * 1:11987 <-> DISABLED <-> PROTOCOL-VOIP Via header format string attempt (protocol-voip.rules)
 * 1:18956 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:18955 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)

2018-03-29 17:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:46099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Modimer Trojanized MediaGet outbound connection (snort3-malware-cnc.rules)
 * 1:46106 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules)
 * 1:46115 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (snort3-server-apache.rules)
 * 1:46116 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (snort3-server-apache.rules)
 * 1:46117 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (snort3-file-other.rules)
 * 1:46118 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (snort3-file-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46114 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (snort3-server-webapp.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46107 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules)
 * 1:46113 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (snort3-server-webapp.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (snort3-protocol-other.rules)
 * 1:46112 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (snort3-server-webapp.rules)
 * 1:46098 <-> DISABLED <-> PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt (snort3-protocol-other.rules)

Modified Rules:


 * 1:45839 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (snort3-deleted.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-image.rules)
 * 1:45838 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (snort3-deleted.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:11987 <-> DISABLED <-> PROTOCOL-VOIP Via header format string attempt (snort3-protocol-voip.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (snort3-server-other.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-image.rules)
 * 1:18956 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (snort3-server-webapp.rules)
 * 1:18955 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (snort3-server-webapp.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (snort3-server-other.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)

2018-03-29 17:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46106 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46115 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 1:46107 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46112 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46113 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46114 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46116 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 1:46117 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46118 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46098 <-> DISABLED <-> PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt (protocol-other.rules)
 * 1:46099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Modimer Trojanized MediaGet outbound connection (malware-cnc.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 3:46110 <-> ENABLED <-> SERVER-OTHER Cisco ASR1001 IKEv2 memory leak attempt (server-other.rules)
 * 3:46109 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46111 <-> ENABLED <-> SERVER-OTHER Cisco IOS Adaptive QoS message parsing stack buffer overflow attempt (server-other.rules)
 * 3:46101 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP ciscoFlashFileEntry OID denial of service attempt (protocol-snmp.rules)
 * 3:46095 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE default one-time password login detected (policy-other.rules)
 * 3:46097 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message denial of service attempt (server-other.rules)
 * 3:46103 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46120 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay integer underflow attempt (server-other.rules)
 * 3:46104 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay agent information memory corruption attempt (server-other.rules)
 * 3:46126 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46102 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46125 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKEv1 payload denial of service attempt (server-other.rules)
 * 3:46105 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP natPoolRange OID denial of service attempt (protocol-snmp.rules)
 * 3:46127 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46096 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message memory corruption or denial of service attempt (server-other.rules)
 * 3:46119 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay reply integer underflow attempt (server-other.rules)
 * 3:46108 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46128 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:11987 <-> DISABLED <-> PROTOCOL-VOIP Via header format string attempt (protocol-voip.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:18956 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:18955 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)

2018-03-29 17:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46117 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46098 <-> DISABLED <-> PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt (protocol-other.rules)
 * 1:46122 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46118 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro JPEG embedded XPS file heap overflow attempt (file-other.rules)
 * 1:46121 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46124 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46116 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 1:46099 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Modimer Trojanized MediaGet outbound connection (malware-cnc.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:46123 <-> DISABLED <-> PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected (protocol-other.rules)
 * 1:46106 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46107 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:46112 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46113 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46114 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:46115 <-> DISABLED <-> SERVER-APACHE FrontPage privilege escalation attempt (server-apache.rules)
 * 3:46109 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46111 <-> ENABLED <-> SERVER-OTHER Cisco IOS Adaptive QoS message parsing stack buffer overflow attempt (server-other.rules)
 * 3:46102 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46110 <-> ENABLED <-> SERVER-OTHER Cisco ASR1001 IKEv2 memory leak attempt (server-other.rules)
 * 3:46125 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKEv1 payload denial of service attempt (server-other.rules)
 * 3:46119 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay reply integer underflow attempt (server-other.rules)
 * 3:46096 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message memory corruption or denial of service attempt (server-other.rules)
 * 3:46127 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46126 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46128 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE IGMP denial of service attempt (server-other.rules)
 * 3:46097 <-> ENABLED <-> SERVER-OTHER Cisco SMI invalid discovery init message denial of service attempt (server-other.rules)
 * 3:46108 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning writable file privilege escalation attempt (server-webapp.rules)
 * 3:46101 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP ciscoFlashFileEntry OID denial of service attempt (protocol-snmp.rules)
 * 3:46104 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay agent information memory corruption attempt (server-other.rules)
 * 3:46105 <-> ENABLED <-> PROTOCOL-SNMP Cisco IOS SNMP natPoolRange OID denial of service attempt (protocol-snmp.rules)
 * 3:46103 <-> ENABLED <-> POLICY-OTHER Flash file external url request attempt (policy-other.rules)
 * 3:46095 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE default one-time password login detected (policy-other.rules)
 * 3:46120 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP relay integer underflow attempt (server-other.rules)

Modified Rules:


 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:11987 <-> DISABLED <-> PROTOCOL-VOIP Via header format string attempt (protocol-voip.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:18956 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:18955 <-> DISABLED <-> SERVER-WEBAPP Symantec IM Manager LoggedInUsers.lgx definition file multiple SQL injections attempt (server-webapp.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)