Talos Rules 2019-03-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-plugins, deleted, file-multimedia, file-office, file-other, malware-cnc, policy-other, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-03-14 16:47:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules)
 * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules)
 * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules)
 * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules)
 * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules)
 * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules)
 * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules)
 * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules)
 * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules)
 * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules)
 * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules)
 * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
 * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules)
 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)

2019-03-14 16:47:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules)
 * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules)
 * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules)
 * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules)
 * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules)
 * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules)
 * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules)
 * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules)
 * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules)
 * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
 * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules)
 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)

2019-03-14 16:47:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (snort3-server-other.rules)
 * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (snort3-file-office.rules)
 * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (snort3-server-webapp.rules)
 * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (snort3-file-other.rules)
 * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (snort3-server-other.rules)
 * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (snort3-deleted.rules)
 * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (snort3-server-other.rules)
 * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (snort3-server-other.rules)
 * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (snort3-server-webapp.rules)
 * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (snort3-server-webapp.rules)
 * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (snort3-file-multimedia.rules)
 * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (snort3-deleted.rules)
 * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (snort3-server-webapp.rules)
 * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (snort3-server-webapp.rules)
 * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (snort3-malware-cnc.rules)
 * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (snort3-deleted.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (snort3-file-office.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules)
 * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (snort3-malware-cnc.rules)
 * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (snort3-malware-cnc.rules)
 * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (snort3-protocol-ftp.rules)
 * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (snort3-server-other.rules)
 * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (snort3-server-webapp.rules)
 * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (snort3-server-webapp.rules)
 * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (snort3-server-webapp.rules)
 * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (snort3-server-webapp.rules)
 * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (snort3-policy-other.rules)
 * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (snort3-file-other.rules)
 * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (snort3-server-webapp.rules)
 * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (snort3-file-other.rules)
 * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (snort3-server-webapp.rules)
 * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (snort3-server-other.rules)
 * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (snort3-server-webapp.rules)
 * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (snort3-malware-cnc.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (snort3-file-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (snort3-file-other.rules)

2019-03-14 16:47:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules)
 * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules)
 * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules)
 * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules)
 * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules)
 * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules)
 * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules)
 * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules)
 * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules)
 * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules)
 * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules)
 * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
 * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules)
 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)

2019-03-14 16:47:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49417 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49428 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49438 <-> DISABLED <-> SERVER-OTHER QNX Neutrino qconn unauthenticated command execution attempt (server-other.rules)
 * 1:49436 <-> DISABLED <-> POLICY-OTHER Linksys WAP610N command injection attempt (policy-other.rules)
 * 1:49445 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49416 <-> DISABLED <-> SERVER-OTHER Samsung Integrated Management System Data Management Server hardcoded credentials attempt (server-other.rules)
 * 1:49437 <-> DISABLED <-> FILE-OTHER Schneider Electric GP-Pro EX ParseAPI heap buffer overflow attempt (file-other.rules)
 * 1:49446 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49439 <-> DISABLED <-> SERVER-OTHER Interactive Graphical SCADA System arbitrary file read attempt (server-other.rules)
 * 1:49405 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49441 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49427 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:49415 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49434 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49440 <-> DISABLED <-> SERVER-OTHER SCADA DataRate remote code execution attempt (server-other.rules)
 * 1:49429 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49408 <-> DISABLED <-> SERVER-WEBAPP Simple Scada directory traversal attempt (server-webapp.rules)
 * 1:49404 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer vidplin.dll avi header parsing execution attempt (file-multimedia.rules)
 * 1:49412 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.FrameworkPoS variant inbound connection attempt (deleted.rules)
 * 1:49406 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49413 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49409 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49418 <-> DISABLED <-> SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt (server-webapp.rules)
 * 1:49419 <-> DISABLED <-> DELETED GNdktjYYmo6tGK3d61ug (deleted.rules)
 * 1:49420 <-> DISABLED <-> DELETED JHtRAgZsIsS5j7DAHi10 (deleted.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49432 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher 2003 EscherStm memory corruption attempt (file-office.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49414 <-> DISABLED <-> SERVER-WEBAPP Samsung Integrated Management System Data Management Server SQL injection attempt (server-webapp.rules)
 * 1:49410 <-> DISABLED <-> FILE-OTHER Elipse Software Elipse32 dll-load exploit attempt (file-other.rules)
 * 1:49407 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess 8.3.2 Dashboard SQL injection attempt (server-webapp.rules)
 * 1:49425 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Danabot download attempt (malware-cnc.rules)
 * 1:49444 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt (malware-cnc.rules)
 * 1:49447 <-> DISABLED <-> BROWSER-PLUGINS Phoenix Contact Think & Do ISSymbol ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49433 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49430 <-> DISABLED <-> SERVER-WEBAPP MyBB Bans List Extension cross site scripting attempt (server-webapp.rules)
 * 1:49435 <-> DISABLED <-> SERVER-WEBAPP Sitecom Home Storage Center directory traversal attempt (server-webapp.rules)
 * 1:49426 <-> DISABLED <-> PROTOCOL-FTP GP-Pro EX HMI WinGP Runtime Arbitrary File Disclosure attempt (protocol-ftp.rules)
 * 3:49443 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)
 * 3:49442 <-> ENABLED <-> BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt (browser-chrome.rules)

Modified Rules:


 * 1:28515 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:24083 <-> DISABLED <-> FILE-OTHER ESTsoft ALZip MIM file buffer overflow attempt (file-other.rules)
 * 1:28516 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28517 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules)
 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt (malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt (malware-cnc.rules)
 * 1:28509 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28511 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 1:28510 <-> DISABLED <-> FILE-OTHER Microsoft Wordpad embedded BMP overflow attempt (file-other.rules)
 * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)