Talos Rules 2018-06-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-image, file-multimedia, file-office, file-other, indicator-compromise, malware-cnc, policy-other, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (snort3-file-image.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (snort3-server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (snort3-server-webapp.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (snort3-file-image.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (snort3-indicator-compromise.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (snort3-server-webapp.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (snort3-indicator-compromise.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (snort3-server-webapp.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (snort3-server-other.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (snort3-malware-cnc.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (snort3-file-other.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (snort3-browser-ie.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (snort3-browser-ie.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (snort3-browser-ie.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (snort3-server-webapp.rules)
 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (snort3-file-office.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (snort3-browser-ie.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (snort3-exploit-kit.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (snort3-file-other.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (snort3-server-webapp.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (snort3-server-webapp.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (snort3-file-office.rules)

Modified Rules:


 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (snort3-malware-cnc.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (snort3-server-webapp.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (snort3-sql.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (snort3-browser-ie.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (snort3-browser-ie.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (snort3-browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (snort3-malware-cnc.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (snort3-browser-ie.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)

Modified Rules:


 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)

Modified Rules:


 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)