Talos Rules 2018-08-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, file-pdf, malware-cnc, os-other, os-windows, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-08-21 17:27:47 UTC

Snort Subscriber Rules Update

Date: 2018-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules)
 * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules)
 * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules)
 * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules)
 * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules)
 * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules)
 * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules)
 * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules)
 * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules)
 * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules)
 * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules)
 * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules)
 * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules)
 * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant  outbound connection detected (malware-cnc.rules)
 * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)

Modified Rules:


 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)

2018-08-21 17:27:47 UTC

Snort Subscriber Rules Update

Date: 2018-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules)
 * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules)
 * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules)
 * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant  outbound connection detected (malware-cnc.rules)
 * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules)
 * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules)
 * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules)
 * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules)
 * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules)
 * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules)
 * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules)
 * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules)
 * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules)
 * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules)
 * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules)
 * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)

Modified Rules:


 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)

2018-08-21 17:27:47 UTC

Snort Subscriber Rules Update

Date: 2018-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (snort3-server-webapp.rules)
 * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (snort3-server-webapp.rules)
 * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (snort3-server-webapp.rules)
 * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (snort3-server-webapp.rules)
 * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (snort3-server-webapp.rules)
 * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (snort3-file-other.rules)
 * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (snort3-server-apache.rules)
 * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (snort3-server-webapp.rules)
 * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (snort3-file-other.rules)
 * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (snort3-malware-cnc.rules)
 * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (snort3-file-other.rules)
 * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (snort3-server-other.rules)
 * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (snort3-file-other.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (snort3-server-webapp.rules)
 * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (snort3-server-webapp.rules)
 * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (snort3-server-webapp.rules)
 * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (snort3-protocol-scada.rules)
 * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant  outbound connection detected (snort3-malware-cnc.rules)
 * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (snort3-server-webapp.rules)
 * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (snort3-malware-cnc.rules)
 * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (snort3-malware-cnc.rules)
 * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (snort3-os-windows.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (snort3-server-other.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (snort3-server-webapp.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (snort3-malware-cnc.rules)

2018-08-21 17:27:47 UTC

Snort Subscriber Rules Update

Date: 2018-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules)
 * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules)
 * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules)
 * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules)
 * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules)
 * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules)
 * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules)
 * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules)
 * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant  outbound connection detected (malware-cnc.rules)
 * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules)
 * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules)
 * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules)
 * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules)
 * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules)
 * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)

Modified Rules:


 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)

2018-08-21 17:27:47 UTC

Snort Subscriber Rules Update

Date: 2018-08-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47593 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47614 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup ReplicationsService.pm command injection attempt (server-webapp.rules)
 * 1:47612 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47608 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47611 <-> DISABLED <-> FILE-OTHER Easy MPEG to DVD Burner buffer overflow attempt (file-other.rules)
 * 1:47581 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API add user attempt (server-webapp.rules)
 * 1:47594 <-> ENABLED <-> MALWARE-CNC Fake PDFEscape font pack cryptominer (malware-cnc.rules)
 * 1:47610 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47580 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47606 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DiagnosticsService.pm command injection attempt (server-webapp.rules)
 * 1:47582 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47589 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47592 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47607 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47590 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47609 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard Viewer arbitrary file upload attempt (server-webapp.rules)
 * 1:47604 <-> DISABLED <-> PROTOCOL-SCADA Rockwell Automation Allen-Bradley MicroLogix controller buffer overflow attempt (protocol-scada.rules)
 * 1:47601 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected (malware-cnc.rules)
 * 1:47603 <-> DISABLED <-> SERVER-WEBAPP WordPress phar deserialization attempt (server-webapp.rules)
 * 1:47600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected (malware-cnc.rules)
 * 1:47602 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AzoRult variant  outbound connection detected (malware-cnc.rules)
 * 1:47605 <-> DISABLED <-> SERVER-WEBAPP Joomla Gridbox app cross site scripting attempt (server-webapp.rules)
 * 1:47591 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:47599 <-> DISABLED <-> SERVER-WEBAPP GitList searchTree git grep arbitrary command execution attempt (server-webapp.rules)
 * 1:47615 <-> DISABLED <-> SERVER-APACHE Apache Tika crafted HTTP header command injection attempt (server-apache.rules)
 * 1:47583 <-> DISABLED <-> SERVER-WEBAPP GitStack unauthenticated REST API repository modification attempt (server-webapp.rules)
 * 1:47585 <-> DISABLED <-> SERVER-OTHER ntpq decode array buffer overflow attempt (server-other.rules)
 * 1:47588 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:47578 <-> DISABLED <-> SERVER-WEBAPP NetGain Systems Enterprise Manager directory traversal attempt (server-webapp.rules)
 * 1:47584 <-> DISABLED <-> SERVER-WEBAPP Dolibarr Carte cross site scripting attempt (server-webapp.rules)
 * 1:47579 <-> DISABLED <-> SERVER-WEBAPP Joomla Aist id SQL injection attempt (server-webapp.rules)
 * 1:47613 <-> ENABLED <-> SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt (server-webapp.rules)
 * 3:47597 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47595 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47598 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)
 * 3:47596 <-> ENABLED <-> OS-OTHER Intel x86 L1 data cache side-channel analysis information leak attempt (os-other.rules)

Modified Rules:


 * 1:45499 <-> DISABLED <-> SERVER-OTHER ISC DHCPD remote denial of service attempt (server-other.rules)
 * 1:46157 <-> DISABLED <-> SERVER-WEBAPP Oracle Hospitality Simphony MICROS directory traversal attempt (server-webapp.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)