Talos Rules 2018-09-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-identify, file-office, file-pdf, malware-backdoor, malware-cnc, malware-other, malware-tools, os-windows, protocol-dns, protocol-telnet, pua-p2p, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-09-04 19:29:01 UTC

Snort Subscriber Rules Update

Date: 2018-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules)
 * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules)
 * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)

Modified Rules:


 * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules)
 * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules)
 * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules)
 * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules)
 * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules)
 * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules)
 * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules)
 * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules)
 * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules)
 * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules)
 * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules)
 * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)

2018-09-04 19:29:01 UTC

Snort Subscriber Rules Update

Date: 2018-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules)
 * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules)
 * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules)
 * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)

Modified Rules:


 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules)
 * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules)
 * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules)
 * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules)
 * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules)
 * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules)
 * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules)
 * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules)
 * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules)
 * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules)
 * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules)
 * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules)
 * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)

2018-09-04 19:29:01 UTC

Snort Subscriber Rules Update

Date: 2018-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (snort3-file-pdf.rules)
 * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (snort3-malware-cnc.rules)
 * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (snort3-server-apache.rules)
 * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (snort3-server-apache.rules)
 * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (snort3-file-pdf.rules)
 * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (snort3-server-apache.rules)
 * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (snort3-file-pdf.rules)
 * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (snort3-pua-p2p.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (snort3-os-windows.rules)
 * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (snort3-malware-backdoor.rules)
 * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (snort3-pua-p2p.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (snort3-os-windows.rules)
 * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (snort3-malware-cnc.rules)
 * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (snort3-file-identify.rules)
 * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (snort3-malware-cnc.rules)
 * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (snort3-malware-backdoor.rules)
 * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (snort3-malware-other.rules)
 * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (snort3-malware-tools.rules)
 * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (snort3-malware-tools.rules)
 * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (snort3-file-office.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (snort3-protocol-dns.rules)
 * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (snort3-malware-cnc.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (snort3-protocol-telnet.rules)
 * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (snort3-file-identify.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (snort3-protocol-telnet.rules)
 * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (snort3-pua-p2p.rules)
 * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (snort3-server-other.rules)
 * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (snort3-server-other.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (snort3-os-windows.rules)
 * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (snort3-malware-cnc.rules)
 * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (snort3-malware-cnc.rules)
 * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (snort3-file-identify.rules)
 * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (snort3-malware-backdoor.rules)
 * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (snort3-file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (snort3-os-windows.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (snort3-file-identify.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (snort3-file-identify.rules)
 * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (snort3-malware-other.rules)

2018-09-04 19:29:01 UTC

Snort Subscriber Rules Update

Date: 2018-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules)
 * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules)
 * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)

Modified Rules:


 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules)
 * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules)
 * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)
 * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules)
 * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules)
 * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules)
 * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules)
 * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules)
 * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules)
 * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules)
 * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules)
 * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)

2018-09-04 19:29:01 UTC

Snort Subscriber Rules Update

Date: 2018-09-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47694 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47693 <-> DISABLED <-> SERVER-WEBAPP Manage Engine Recovery Manager cross site scripting attempt (server-webapp.rules)
 * 1:47692 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Shrug2 outbound connection (malware-cnc.rules)
 * 1:47691 <-> DISABLED <-> SERVER-APACHE Apache Struts ognl remote code execution attempt (server-apache.rules)
 * 1:47690 <-> ENABLED <-> SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt (server-apache.rules)
 * 1:47689 <-> ENABLED <-> SERVER-APACHE Apache Struts java.net.Socket class access attempt (server-apache.rules)
 * 1:47688 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 1:47687 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D SGI RGB information leak attempt (file-pdf.rules)
 * 1:47686 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 1:47685 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro U3D IFF out of bounds read attempt (file-pdf.rules)
 * 3:47684 <-> ENABLED <-> SERVER-OTHER Mikrotik RouterOS directory traversal attempt (server-other.rules)

Modified Rules:


 * 1:17620 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:12211 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP connection traffic detected (pua-p2p.rules)
 * 1:12210 <-> ENABLED <-> PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected (pua-p2p.rules)
 * 1:17621 <-> ENABLED <-> SERVER-OTHER Products Discovery Service Buffer Overflow (server-other.rules)
 * 1:19037 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection (malware-cnc.rules)
 * 1:19040 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection (malware-cnc.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:25517 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:12209 <-> ENABLED <-> PUA-P2P P2PTv TVAnt udp traffic detected (pua-p2p.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:24594 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt (malware-other.rules)
 * 1:19022 <-> DISABLED <-> MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection (malware-cnc.rules)
 * 1:24359 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)
 * 1:23777 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:23775 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.71 packer file magic detected (file-identify.rules)
 * 1:23605 <-> ENABLED <-> FILE-IDENTIFY Armadillo v1.xx - v2.xx file magic detected (file-identify.rules)
 * 1:20097 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip (malware-cnc.rules)
 * 1:20002 <-> DISABLED <-> MALWARE-CNC Allaple.e variant outbound connection (malware-cnc.rules)
 * 1:19221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:19189 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans2 Distributed File System response PathConsumed integer overflow attempt (os-windows.rules)
 * 1:7584 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set open (malware-tools.rules)
 * 1:7583 <-> ENABLED <-> MALWARE-TOOLS Hacker-Tool clandestine runtime detection - flowbit set big (malware-tools.rules)
 * 1:7162 <-> DISABLED <-> MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client (malware-other.rules)
 * 1:7067 <-> DISABLED <-> MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection (malware-backdoor.rules)
 * 1:6057 <-> DISABLED <-> MALWARE-BACKDOOR bifrose 1.1 runtime detection (malware-backdoor.rules)
 * 1:6046 <-> DISABLED <-> MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection (malware-backdoor.rules)
 * 1:40712 <-> ENABLED <-> FILE-OFFICE Microsoft Office 2016 arbitrary pointer dereference vulnerability attempt (file-office.rules)
 * 1:33825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt (os-windows.rules)