Talos Rules 2019-01-10
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-image, file-other, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-01-10 17:02:52 UTC

Snort Subscriber Rules Update

Date: 2019-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules)
 * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules)
 * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules)
 * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules)
 * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules)
 * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules)
 * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules)
 * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules)
 * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules)
 * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules)
 * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules)

Modified Rules:


 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)

2019-01-10 17:02:52 UTC

Snort Subscriber Rules Update

Date: 2019-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules)
 * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules)
 * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules)
 * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules)
 * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules)
 * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules)
 * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules)
 * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules)
 * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules)
 * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules)
 * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules)

Modified Rules:


 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)

2019-01-10 17:02:52 UTC

Snort Subscriber Rules Update

Date: 2019-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules)
 * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules)
 * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules)
 * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules)
 * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules)
 * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules)
 * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules)
 * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules)
 * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules)
 * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules)
 * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules)
 * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)

Modified Rules:


 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)

2019-01-10 17:02:52 UTC

Snort Subscriber Rules Update

Date: 2019-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (snort3-malware-cnc.rules)
 * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (snort3-malware-cnc.rules)
 * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (snort3-malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (snort3-malware-cnc.rules)
 * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (snort3-policy-other.rules)
 * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (snort3-file-other.rules)
 * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (snort3-file-other.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (snort3-server-webapp.rules)
 * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (snort3-file-pdf.rules)
 * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (snort3-file-pdf.rules)
 * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (snort3-indicator-compromise.rules)
 * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (snort3-indicator-compromise.rules)
 * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (snort3-indicator-compromise.rules)
 * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (snort3-indicator-compromise.rules)
 * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (snort3-indicator-compromise.rules)
 * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (snort3-indicator-compromise.rules)
 * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (snort3-indicator-compromise.rules)
 * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (snort3-indicator-compromise.rules)

Modified Rules:


 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (snort3-indicator-compromise.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (snort3-indicator-compromise.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (snort3-indicator-compromise.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (snort3-indicator-compromise.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (snort3-indicator-compromise.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (snort3-indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (snort3-indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (snort3-indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (snort3-indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (snort3-indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (snort3-indicator-compromise.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (snort3-indicator-compromise.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (snort3-indicator-compromise.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (snort3-browser-ie.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (snort3-indicator-compromise.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (snort3-browser-ie.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (snort3-indicator-compromise.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (snort3-indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (snort3-indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (snort3-indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (snort3-indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (snort3-indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (snort3-indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (snort3-indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (snort3-indicator-compromise.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (snort3-indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (snort3-indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (snort3-indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (snort3-indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (snort3-indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (snort3-indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (snort3-indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (snort3-indicator-compromise.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (snort3-indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (snort3-indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (snort3-indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (snort3-indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (snort3-indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (snort3-indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (snort3-indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (snort3-indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (snort3-indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (snort3-indicator-compromise.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (snort3-indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (snort3-indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (snort3-indicator-compromise.rules)

2019-01-10 17:02:52 UTC

Snort Subscriber Rules Update

Date: 2019-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules)
 * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules)
 * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules)
 * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules)
 * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules)
 * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules)
 * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules)
 * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules)
 * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules)
 * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules)
 * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules)
 * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)

Modified Rules:


 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)

2019-01-10 17:02:52 UTC

Snort Subscriber Rules Update

Date: 2019-01-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48819 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant inbound payload download (malware-cnc.rules)
 * 1:48835 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns AAAA query (indicator-compromise.rules)
 * 1:48822 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut inbound payload download (malware-cnc.rules)
 * 1:48829 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns AAAA query (indicator-compromise.rules)
 * 1:48824 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48825 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture use after free attempt (file-other.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48827 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48821 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Uppercut variant outbound connection (malware-cnc.rules)
 * 1:48831 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns AAAA query (indicator-compromise.rules)
 * 1:48828 <-> ENABLED <-> FILE-PDF Adobe Acrobat Pro use after free attempt (file-pdf.rules)
 * 1:48832 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns TXT query (indicator-compromise.rules)
 * 1:48830 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns TXT query (indicator-compromise.rules)
 * 1:48833 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns AAAA query (indicator-compromise.rules)
 * 1:48834 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns TXT query (indicator-compromise.rules)
 * 1:48823 <-> DISABLED <-> POLICY-OTHER C-More Programming Simulator denial of service attempt (policy-other.rules)
 * 1:48820 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Criakl variant outbound connection (malware-cnc.rules)
 * 1:48818 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48836 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns TXT query (indicator-compromise.rules)

Modified Rules:


 * 1:48677 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan dns query (indicator-compromise.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48681 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48678 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .free dns query (indicator-compromise.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48683 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .emc dns query (indicator-compromise.rules)
 * 1:48685 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .lib dns query (indicator-compromise.rules)
 * 1:48687 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48688 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .fur dns query (indicator-compromise.rules)
 * 1:48713 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue dns query (indicator-compromise.rules)
 * 1:48714 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .glue tcp dns query (indicator-compromise.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitrary code execution attempt (browser-ie.rules)
 * 1:48680 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48652 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48649 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48674 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody dns query (indicator-compromise.rules)
 * 1:48653 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek dns query (indicator-compromise.rules)
 * 1:48657 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48648 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48658 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48671 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz tcp dns A query (indicator-compromise.rules)
 * 1:48660 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .neo dns query (indicator-compromise.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48655 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48665 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o tcp dns A query (indicator-compromise.rules)
 * 1:48668 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .o dns A query (indicator-compromise.rules)
 * 1:48669 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48651 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48647 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48670 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oss dns query (indicator-compromise.rules)
 * 1:48675 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48679 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48673 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .oz dns A query (indicator-compromise.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:48682 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious .coin dns query (indicator-compromise.rules)