Talos Rules 2018-10-11
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, deleted, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-linux, os-other, os-windows, protocol-dns, pua-adware, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44919 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44482 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt (protocol-dns.rules)
 * 1:44920 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:45394 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt (server-other.rules)
 * 1:45255 <-> ENABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules)
 * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45444 <-> ENABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:45443 <-> ENABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:47821 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt (server-other.rules)
 * 1:47820 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt (server-other.rules)
 * 1:47683 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47682 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:46784 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt (server-other.rules)
 * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:45839 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (deleted.rules)
 * 1:45838 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (deleted.rules)
 * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)

Modified Rules:


 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (snort3-file-other.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (snort3-pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (snort3-pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (snort3-pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (snort3-malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (snort3-server-other.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (snort3-server-webapp.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (snort3-malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (snort3-malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (snort3-server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (snort3-server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (snort3-server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (snort3-file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (snort3-file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (snort3-file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (snort3-file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (snort3-server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (snort3-file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (snort3-file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (snort3-file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (snort3-file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (snort3-server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (snort3-server-other.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (snort3-file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (snort3-file-other.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (snort3-file-other.rules)

Modified Rules:


 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (snort3-server-webapp.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (snort3-server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (snort3-file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (snort3-file-other.rules)

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)

Modified Rules:


 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)

Modified Rules:


 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)