Talos Rules 2019-03-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-office, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-03-19 13:03:36 UTC

Snort Subscriber Rules Update

Date: 2019-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules)
 * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules)
 * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)

2019-03-19 13:03:36 UTC

Snort Subscriber Rules Update

Date: 2019-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules)
 * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules)
 * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)

Modified Rules:


 * 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)

2019-03-19 13:03:36 UTC

Snort Subscriber Rules Update

Date: 2019-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules)
 * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules)
 * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules)
 * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules)
 * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (snort3-file-office.rules)
 * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (snort3-file-office.rules)
 * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (snort3-file-office.rules)
 * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (snort3-file-office.rules)
 * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules)
 * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (snort3-server-webapp.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (snort3-server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (snort3-server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules)
 * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (snort3-server-webapp.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules)
 * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (snort3-server-other.rules)
 * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (snort3-server-webapp.rules)
 * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (snort3-policy-other.rules)
 * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (snort3-policy-other.rules)
 * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (snort3-server-webapp.rules)
 * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (snort3-server-other.rules)
 * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (snort3-server-webapp.rules)
 * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (snort3-malware-cnc.rules)
 * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (snort3-malware-cnc.rules)
 * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (snort3-malware-cnc.rules)
 * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (snort3-server-other.rules)
 * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (snort3-server-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (snort3-file-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (snort3-file-other.rules)
 * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (snort3-server-other.rules)
 * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (snort3-server-other.rules)
 * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules)
 * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (snort3-malware-cnc.rules)
 * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (snort3-file-other.rules)

Modified Rules:


 * 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (snort3-file-other.rules)
 * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (snort3-file-other.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (snort3-server-webapp.rules)

2019-03-19 13:03:36 UTC

Snort Subscriber Rules Update

Date: 2019-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules)
 * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules)
 * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)

Modified Rules:


 * 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)

2019-03-19 13:03:36 UTC

Snort Subscriber Rules Update

Date: 2019-03-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49478 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49461 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49460 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49459 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49458 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49457 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49456 <-> DISABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49455 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49454 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49453 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49452 <-> DISABLED <-> SERVER-OTHER Perl webshell upload attempt (server-other.rules)
 * 1:49451 <-> DISABLED <-> SERVER-OTHER webshell upload attempt (server-other.rules)
 * 1:49450 <-> DISABLED <-> SERVER-OTHER CFM webshell upload attempt (server-other.rules)
 * 1:49449 <-> DISABLED <-> SERVER-OTHER ASP webshell upload attempt (server-other.rules)
 * 1:49448 <-> DISABLED <-> SERVER-WEBAPP WordPress comment cross site request forgery attempt (server-webapp.rules)
 * 1:49477 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49474 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49473 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49472 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49471 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49470 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49469 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49468 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RisingSun variant outbound connection (malware-cnc.rules)
 * 1:49465 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49464 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49463 <-> DISABLED <-> SERVER-WEBAPP Joomla CW Articles Attachments SQL injection attempt (server-webapp.rules)
 * 1:49462 <-> DISABLED <-> POLICY-OTHER D-Link DIR-615 remote unauthenticated password modification attempt (policy-other.rules)
 * 1:49484 <-> DISABLED <-> SERVER-OTHER Western Digital MyNet unauthenticated configuration disclosure attempt (server-other.rules)
 * 1:49481 <-> DISABLED <-> SERVER-OTHER Sagem Fast 3304-V1 denial of service attempt (server-other.rules)
 * 1:49480 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49479 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.RisingSun variant download attempt (malware-cnc.rules)
 * 1:49483 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49482 <-> DISABLED <-> FILE-OTHER Microsoft Windows TTF parsing counter overflow attempt (file-other.rules)
 * 1:49485 <-> DISABLED <-> SERVER-OTHER IBM solidDB denial of service attempt (server-other.rules)
 * 1:49488 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49487 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49486 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49490 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49489 <-> DISABLED <-> FILE-OTHER Snapd dirty_sock exploit download attempt (file-other.rules)
 * 1:49491 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49497 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49496 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49495 <-> ENABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method access (file-office.rules)
 * 1:49494 <-> DISABLED <-> FILE-OFFICE Microsoft Office MSCOMCTL ActiveX control tabstrip method attempt (file-office.rules)
 * 1:49493 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)
 * 1:49492 <-> DISABLED <-> SERVER-WEBAPP QNAP Zip Upload command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35857 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:35858 <-> DISABLED <-> FILE-OTHER Microsoft System.Uri heap corruption attempt (file-other.rules)
 * 1:46624 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46625 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46626 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)
 * 1:46627 <-> ENABLED <-> SERVER-WEBAPP GPON Router authentication bypass and command injection attempt (server-webapp.rules)