Talos Rules 2018-04-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-office, malware-cnc, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-04-17 14:13:28 UTC

Snort Subscriber Rules Update

Date: 2018-04-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt detected (server-webapp.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46311 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUTransferHistory SQL injection attempt (server-webapp.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46304 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ JMS ObjectMessage deserialization attempt (server-other.rules)
 * 1:46303 <-> DISABLED <-> SERVER-WEBAPP Antsle antman authentication bypass attempt (server-webapp.rules)
 * 1:46302 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUEventHistory SQL injection attempt (server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:46338 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46337 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46336 <-> DISABLED <-> SERVER-APACHE  Apache Jetspeed User Manager service unauthorized API access attempt (server-apache.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46334 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46333 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46332 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46331 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46330 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46329 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46328 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed PageManagementService persistent XSS attempt (server-webapp.rules)
 * 1:46327 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46326 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46325 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center UrlAccessController authentication bypass attempt (server-webapp.rules)
 * 1:46324 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46346 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46345 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46344 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 3:46343 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Analysis graph.php directory traversal attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)

2018-04-17 14:13:28 UTC

Snort Subscriber Rules Update

Date: 2018-04-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46337 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46304 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ JMS ObjectMessage deserialization attempt (server-other.rules)
 * 1:46302 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUEventHistory SQL injection attempt (server-webapp.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46303 <-> DISABLED <-> SERVER-WEBAPP Antsle antman authentication bypass attempt (server-webapp.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:46338 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46346 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46345 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46344 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46336 <-> DISABLED <-> SERVER-APACHE  Apache Jetspeed User Manager service unauthorized API access attempt (server-apache.rules)
 * 1:46334 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46332 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46333 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46330 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46331 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46328 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed PageManagementService persistent XSS attempt (server-webapp.rules)
 * 1:46329 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46326 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46327 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46324 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:46325 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center UrlAccessController authentication bypass attempt (server-webapp.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt detected (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46311 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUTransferHistory SQL injection attempt (server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 3:46343 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Analysis graph.php directory traversal attempt (server-webapp.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)

Modified Rules:


 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)

2018-04-17 14:13:28 UTC

Snort Subscriber Rules Update

Date: 2018-04-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (snort3-server-webapp.rules)
 * 1:46346 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (snort3-server-webapp.rules)
 * 1:46345 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (snort3-server-webapp.rules)
 * 1:46344 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (snort3-server-webapp.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (snort3-server-other.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (snort3-server-webapp.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (snort3-malware-cnc.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46337 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (snort3-server-webapp.rules)
 * 1:46302 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUEventHistory SQL injection attempt (snort3-server-webapp.rules)
 * 1:46304 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ JMS ObjectMessage deserialization attempt (snort3-server-other.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46338 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (snort3-server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (snort3-server-other.rules)
 * 1:46336 <-> DISABLED <-> SERVER-APACHE  Apache Jetspeed User Manager service unauthorized API access attempt (snort3-server-apache.rules)
 * 1:46333 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (snort3-server-webapp.rules)
 * 1:46334 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (snort3-server-webapp.rules)
 * 1:46331 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (snort3-server-webapp.rules)
 * 1:46332 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (snort3-server-webapp.rules)
 * 1:46329 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (snort3-server-webapp.rules)
 * 1:46330 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (snort3-server-webapp.rules)
 * 1:46327 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (snort3-server-apache.rules)
 * 1:46328 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed PageManagementService persistent XSS attempt (snort3-server-webapp.rules)
 * 1:46325 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center UrlAccessController authentication bypass attempt (snort3-server-webapp.rules)
 * 1:46326 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (snort3-server-apache.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (snort3-server-webapp.rules)
 * 1:46324 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (snort3-server-other.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (snort3-server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt detected (snort3-server-webapp.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (snort3-server-other.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (snort3-server-webapp.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (snort3-server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (snort3-server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (snort3-server-webapp.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (snort3-server-other.rules)
 * 1:46311 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUTransferHistory SQL injection attempt (snort3-server-webapp.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (snort3-server-webapp.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (snort3-server-other.rules)
 * 1:46303 <-> DISABLED <-> SERVER-WEBAPP Antsle antman authentication bypass attempt (snort3-server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (snort3-server-other.rules)

Modified Rules:


 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (snort3-file-office.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (snort3-file-flash.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (snort3-file-office.rules)

2018-04-17 14:13:28 UTC

Snort Subscriber Rules Update

Date: 2018-04-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46338 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46344 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46346 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46303 <-> DISABLED <-> SERVER-WEBAPP Antsle antman authentication bypass attempt (server-webapp.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46302 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUEventHistory SQL injection attempt (server-webapp.rules)
 * 1:46337 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46336 <-> DISABLED <-> SERVER-APACHE  Apache Jetspeed User Manager service unauthorized API access attempt (server-apache.rules)
 * 1:46345 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 1:46334 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46333 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46330 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46331 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46332 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46329 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46326 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46327 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46328 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed PageManagementService persistent XSS attempt (server-webapp.rules)
 * 1:46325 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center UrlAccessController authentication bypass attempt (server-webapp.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46324 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt detected (server-webapp.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46311 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUTransferHistory SQL injection attempt (server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46304 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ JMS ObjectMessage deserialization attempt (server-other.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 3:46343 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Analysis graph.php directory traversal attempt (server-webapp.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)

Modified Rules:


 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)

2018-04-17 14:13:28 UTC

Snort Subscriber Rules Update

Date: 2018-04-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46345 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46341 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt (server-webapp.rules)
 * 1:46337 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46304 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ JMS ObjectMessage deserialization attempt (server-other.rules)
 * 1:46302 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUEventHistory SQL injection attempt (server-webapp.rules)
 * 1:46340 <-> DISABLED <-> SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt (server-webapp.rules)
 * 1:46342 <-> DISABLED <-> SERVER-OTHER QNAP QTS cross site request forgery attempt (server-other.rules)
 * 1:46331 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46346 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46305 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46303 <-> DISABLED <-> SERVER-WEBAPP Antsle antman authentication bypass attempt (server-webapp.rules)
 * 1:46344 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk directory traversal attempt (server-webapp.rules)
 * 1:46338 <-> ENABLED <-> SERVER-WEBAPP Joomla Saxum Picker SQL injection attempt (server-webapp.rules)
 * 1:46329 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46330 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46327 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46317 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46325 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center UrlAccessController authentication bypass attempt (server-webapp.rules)
 * 1:46326 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt (server-apache.rules)
 * 1:46323 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46313 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46318 <-> DISABLED <-> SERVER-OTHER NETGEAR TelnetEnable attempt (server-other.rules)
 * 1:46322 <-> DISABLED <-> SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt (server-webapp.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt detected (server-webapp.rules)
 * 1:46309 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46314 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46315 <-> DISABLED <-> SERVER-WEBAPP Joomla restore.php PHP object injection attempt (server-webapp.rules)
 * 1:46312 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 information disclosure attempt (server-webapp.rules)
 * 1:46310 <-> DISABLED <-> SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt (server-other.rules)
 * 1:46311 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUTransferHistory SQL injection attempt (server-webapp.rules)
 * 1:46308 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46307 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46306 <-> DISABLED <-> SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt (server-webapp.rules)
 * 1:46301 <-> DISABLED <-> SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow (server-other.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:46336 <-> DISABLED <-> SERVER-APACHE  Apache Jetspeed User Manager service unauthorized API access attempt (server-apache.rules)
 * 1:46335 <-> DISABLED <-> SERVER-OTHER QNAP QTS hard coded credential access attempt (server-other.rules)
 * 1:46332 <-> DISABLED <-> SERVER-WEBAPP SearchBlox unauthorized access attempt (server-webapp.rules)
 * 1:46333 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46334 <-> ENABLED <-> SERVER-WEBAPP Joomla DT Register SQL injection attempt (server-webapp.rules)
 * 1:46328 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed PageManagementService persistent XSS attempt (server-webapp.rules)
 * 1:46324 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)
 * 3:46343 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Network Analysis graph.php directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)