Talos Rules 2018-10-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-image, malware-cnc, os-windows, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-10-18 16:39:04 UTC

Snort Subscriber Rules Update

Date: 2018-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules)
 * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules)
 * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules)
 * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules)
 * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules)
 * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)
 * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)

Modified Rules:


 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules)

2018-10-18 16:39:04 UTC

Snort Subscriber Rules Update

Date: 2018-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules)
 * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules)
 * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules)
 * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules)
 * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules)
 * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules)
 * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)
 * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)

Modified Rules:


 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules)
 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)

2018-10-18 16:39:04 UTC

Snort Subscriber Rules Update

Date: 2018-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules)
 * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules)
 * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules)
 * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules)
 * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules)
 * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules)
 * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)
 * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)

Modified Rules:


 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)

2018-10-18 16:39:04 UTC

Snort Subscriber Rules Update

Date: 2018-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (snort3-os-windows.rules)
 * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules)
 * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules)
 * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules)
 * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules)
 * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules)
 * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (snort3-malware-cnc.rules)
 * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (snort3-server-other.rules)
 * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules)
 * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules)
 * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules)
 * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (snort3-server-webapp.rules)
 * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules)
 * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules)
 * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (snort3-server-other.rules)
 * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (snort3-malware-cnc.rules)
 * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (snort3-malware-cnc.rules)
 * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (snort3-server-webapp.rules)
 * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (snort3-server-webapp.rules)
 * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (snort3-server-webapp.rules)
 * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (snort3-server-webapp.rules)
 * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (snort3-malware-cnc.rules)
 * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (snort3-malware-cnc.rules)
 * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (snort3-malware-cnc.rules)
 * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (snort3-malware-cnc.rules)
 * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (snort3-malware-cnc.rules)
 * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (snort3-deleted.rules)
 * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (snort3-os-windows.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (snort3-server-webapp.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (snort3-protocol-ftp.rules)

2018-10-18 16:39:04 UTC

Snort Subscriber Rules Update

Date: 2018-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules)
 * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules)
 * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules)
 * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules)
 * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules)
 * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules)
 * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)
 * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)

Modified Rules:


 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)

2018-10-18 16:39:04 UTC

Snort Subscriber Rules Update

Date: 2018-10-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48177 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SQL injection attempt (server-webapp.rules)
 * 1:48173 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48205 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected (malware-cnc.rules)
 * 1:48203 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48189 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48174 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48181 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48176 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48186 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48180 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48185 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48193 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48187 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48194 <-> DISABLED <-> SERVER-WEBAPP Joomba component AlphaIndex Dictionaries SQL injection attempt (server-webapp.rules)
 * 1:48184 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48183 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48191 <-> ENABLED <-> MALWARE-CNC Linux.Malware.Torii variant malicious file download (malware-cnc.rules)
 * 1:48196 <-> DISABLED <-> SERVER-WEBAPP Joomla component Reverse Auction Factory SQL injection attempt (server-webapp.rules)
 * 1:48195 <-> DISABLED <-> SERVER-WEBAPP Joomla Component Collection Factory SQL injection attempt (server-webapp.rules)
 * 1:48182 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 1:48197 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48188 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48202 <-> DISABLED <-> MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection (malware-cnc.rules)
 * 1:48175 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt (malware-cnc.rules)
 * 1:48172 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 form2systime.cgi command injection attempt (server-webapp.rules)
 * 1:48192 <-> ENABLED <-> MALWARE-CNC Unix.Worm.Hakai outbound connection (malware-cnc.rules)
 * 1:48200 <-> DISABLED <-> DELETED OoMie6Coh4Cha0voo0oh (deleted.rules)
 * 1:48190 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm buffer overflow attempt (server-other.rules)
 * 1:48198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Datper variant outbound request detected (malware-cnc.rules)
 * 1:48179 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center imcwlandm stack buffer overflow attempt (server-other.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)
 * 3:48201 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP denial of service attempt (server-other.rules)
 * 3:48204 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller CAPWAP information disclosure attempt (server-other.rules)

Modified Rules:


 * 1:48055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Filter Manager Elevation Of Privilege attempt (os-windows.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt (protocol-ftp.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:43495 <-> DISABLED <-> SERVER-WEBAPP Lets Encrypt SSL certificate for domain resembling paypal (server-webapp.rules)