Talos Rules 2019-01-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, os-windows, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-01-15 13:33:05 UTC

Snort Subscriber Rules Update

Date: 2019-01-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48843 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48842 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48841 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48840 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48839 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48838 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48860 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48859 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:48856 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.L0rdix binary download attempt (malware-other.rules)
 * 1:48849 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 1:48848 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 1:48847 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48846 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48845 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 3:48850 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48851 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48852 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)
 * 3:48853 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)
 * 3:48854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)
 * 3:48855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:20425 <-> DISABLED <-> PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt (protocol-voip.rules)
 * 1:43454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:47202 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:43455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:47201 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)

2019-01-15 13:33:05 UTC

Snort Subscriber Rules Update

Date: 2019-01-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:48838 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48843 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48849 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 1:48856 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.L0rdix binary download attempt (malware-other.rules)
 * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:48839 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48845 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48847 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48848 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:48860 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48859 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48841 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48840 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48842 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48846 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 3:48850 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48851 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48852 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)
 * 3:48853 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)
 * 3:48854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)
 * 3:48855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:47202 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:43454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:43455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:47201 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:20425 <-> DISABLED <-> PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt (protocol-voip.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)

2019-01-15 13:33:05 UTC

Snort Subscriber Rules Update

Date: 2019-01-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48847 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (snort3-malware-cnc.rules)
 * 1:48859 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (snort3-malware-cnc.rules)
 * 1:48860 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (snort3-malware-cnc.rules)
 * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48848 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (snort3-file-pdf.rules)
 * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48841 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (snort3-server-webapp.rules)
 * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (snort3-malware-cnc.rules)
 * 1:48840 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (snort3-server-webapp.rules)
 * 1:48843 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (snort3-server-webapp.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (snort3-malware-cnc.rules)
 * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48838 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (snort3-server-webapp.rules)
 * 1:48846 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (snort3-malware-cnc.rules)
 * 1:48849 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (snort3-file-pdf.rules)
 * 1:48856 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.L0rdix binary download attempt (snort3-malware-other.rules)
 * 1:48842 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (snort3-server-webapp.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (snort3-server-webapp.rules)
 * 1:48839 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (snort3-server-webapp.rules)
 * 1:48844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48845 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (snort3-malware-cnc.rules)

Modified Rules:


 * 1:20425 <-> DISABLED <-> PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt (snort3-protocol-voip.rules)
 * 1:43454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (snort3-file-flash.rules)
 * 1:43455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (snort3-file-flash.rules)
 * 1:47201 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (snort3-file-office.rules)
 * 1:47202 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (snort3-file-office.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (snort3-file-other.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (snort3-file-other.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (snort3-server-webapp.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (snort3-os-windows.rules)

2019-01-15 13:33:05 UTC

Snort Subscriber Rules Update

Date: 2019-01-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48840 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48849 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48843 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48841 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48856 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.L0rdix binary download attempt (malware-other.rules)
 * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:48839 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48846 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48838 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48847 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48845 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48859 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48842 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48860 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48848 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 3:48850 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48851 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48852 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)
 * 3:48853 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)
 * 3:48854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)
 * 3:48855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:43454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:20425 <-> DISABLED <-> PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt (protocol-voip.rules)
 * 1:47202 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:47201 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:43455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)

2019-01-15 13:33:05 UTC

Snort Subscriber Rules Update

Date: 2019-01-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48859 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48860 <-> ENABLED <-> MALWARE-CNC MuddyWater variant malicious document download attempt (malware-cnc.rules)
 * 1:48846 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48849 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 1:48840 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48856 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.L0rdix binary download attempt (malware-other.rules)
 * 1:48841 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48857 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send client settings attempt (malware-cnc.rules)
 * 1:48842 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48839 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48862 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48843 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox ping.php command injection attempt (server-webapp.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:48848 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript ANAuthenticateResource use-after-free attempt (file-pdf.rules)
 * 1:48861 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48838 <-> DISABLED <-> SERVER-WEBAPP Wifi-Soft Unibox diagnostic_tools_controller.php command injection attempt (server-webapp.rules)
 * 1:48847 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48844 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48858 <-> ENABLED <-> MALWARE-CNC Win.Trojan.L0rdix send system log attempt (malware-cnc.rules)
 * 1:48845 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.WindTail outbound connection (malware-cnc.rules)
 * 1:48864 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 1:48863 <-> DISABLED <-> INDICATOR-OBFUSCATION Potential Z-WASP malicious URL obfuscation attempt (indicator-obfuscation.rules)
 * 3:48855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)
 * 3:48854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0758 attack attempt (protocol-other.rules)
 * 3:48852 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)
 * 3:48851 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48850 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0760 attack attempt (file-other.rules)
 * 3:48853 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0757 attack attempt (file-other.rules)

Modified Rules:


 * 1:48735 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:48737 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:47202 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48736 <-> DISABLED <-> SERVER-WEBAPP MailCleaner managetracing searchAction command injection attempt (server-webapp.rules)
 * 1:20425 <-> DISABLED <-> PROTOCOL-VOIP Cisco 7940/7960 INVITE Remote-Party-ID header denial of service attempt (protocol-voip.rules)
 * 1:43455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:43454 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:47201 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)