Talos Rules 2018-07-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-executable, file-image, file-office, file-other, file-pdf, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-07-24 13:35:54 UTC

Snort Subscriber Rules Update

Date: 2018-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules)
 * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules)
 * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules)
 * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)

Modified Rules:


 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)

2018-07-24 13:35:54 UTC

Snort Subscriber Rules Update

Date: 2018-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules)
 * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules)
 * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules)
 * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules)
 * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)

Modified Rules:


 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)

2018-07-24 13:35:54 UTC

Snort Subscriber Rules Update

Date: 2018-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (snort3-file-other.rules)
 * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules)
 * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (snort3-malware-cnc.rules)
 * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (snort3-file-pdf.rules)
 * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (snort3-file-pdf.rules)
 * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (snort3-file-image.rules)
 * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (snort3-malware-cnc.rules)
 * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (snort3-malware-cnc.rules)
 * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (snort3-malware-cnc.rules)
 * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (snort3-browser-ie.rules)
 * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (snort3-malware-cnc.rules)
 * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules)
 * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (snort3-file-pdf.rules)
 * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (snort3-malware-cnc.rules)
 * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules)
 * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules)
 * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (snort3-browser-ie.rules)
 * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules)
 * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (snort3-file-image.rules)
 * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (snort3-file-image.rules)
 * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (snort3-file-image.rules)
 * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (snort3-malware-cnc.rules)
 * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (snort3-malware-cnc.rules)
 * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (snort3-file-pdf.rules)
 * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (snort3-file-pdf.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (snort3-file-pdf.rules)
 * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules)
 * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules)
 * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (snort3-malware-cnc.rules)
 * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules)
 * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (snort3-malware-cnc.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (snort3-malware-other.rules)
 * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (snort3-malware-cnc.rules)
 * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (snort3-file-image.rules)

Modified Rules:


 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (snort3-file-office.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules)
 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (snort3-file-office.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (snort3-file-image.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules)

2018-07-24 13:35:54 UTC

Snort Subscriber Rules Update

Date: 2018-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules)
 * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules)
 * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules)
 * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules)
 * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules)
 * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
 * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)

Modified Rules:


 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)

2018-07-24 13:35:54 UTC

Snort Subscriber Rules Update

Date: 2018-07-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47330 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47329 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47298 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47318 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:47334 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47332 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47308 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47307 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47338 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection (malware-cnc.rules)
 * 1:47301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47309 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF RegionNodeCount out-of-bounds write attempt (file-other.rules)
 * 1:47315 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47306 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Distiller PostScript pdfmark out-of-bounds write attempt (file-other.rules)
 * 1:47312 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47314 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CEL out of bounds read attempt (file-image.rules)
 * 1:47300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant inbound payload download (malware-cnc.rules)
 * 1:47321 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47333 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds write attempt (file-other.rules)
 * 1:47335 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro out of bounds write attempt (file-pdf.rules)
 * 1:47327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt (malware-cnc.rules)
 * 1:47326 <-> ENABLED <-> MALWARE-OTHER known malicious user-agent string - DonaBot (malware-other.rules)
 * 1:47316 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 1:47317 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusDrawPie out-of-bounds write attempt (file-other.rules)
 * 1:47320 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection (malware-cnc.rules)
 * 1:47331 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47339 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant outbound connection (malware-cnc.rules)
 * 1:47305 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47313 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro out of bounds read attempt (file-image.rules)
 * 1:47310 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:47311 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer page layout use after free attempt (browser-ie.rules)
 * 1:47303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader use-after-free attempt (file-pdf.rules)
 * 1:47302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection (malware-cnc.rules)
 * 1:47322 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47323 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:47324 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47328 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF out of bounds read attempt (file-image.rules)
 * 1:47325 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 3:47296 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
 * 3:47295 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2018-0635 attack attempt (file-executable.rules)
 * 3:47337 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)
 * 3:47336 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0638 attack attempt (file-image.rules)

Modified Rules:


 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)