Talos Rules 2019-03-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-pdf, indicator-compromise, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-03-26 13:15:58 UTC

Snort Subscriber Rules Update

Date: 2019-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules)
 * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules)
 * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules)
 * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules)
 * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules)
 * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules)
 * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules)
 * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules)
 * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules)
 * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules)
 * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules)
 * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules)
 * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules)
 * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules)
 * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)

Modified Rules:


 * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules)

2019-03-26 13:15:58 UTC

Snort Subscriber Rules Update

Date: 2019-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules)
 * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules)
 * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules)
 * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules)
 * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules)
 * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules)
 * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules)
 * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules)
 * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules)
 * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules)
 * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules)
 * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules)
 * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules)
 * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules)
 * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)

Modified Rules:


 * 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules)
 * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)

2019-03-26 13:15:58 UTC

Snort Subscriber Rules Update

Date: 2019-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
 * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
 * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
 * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (snort3-malware-cnc.rules)
 * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
 * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
 * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (snort3-malware-other.rules)
 * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (snort3-malware-other.rules)
 * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (snort3-malware-cnc.rules)
 * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (snort3-malware-cnc.rules)
 * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (snort3-policy-other.rules)
 * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (snort3-server-webapp.rules)
 * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (snort3-server-webapp.rules)
 * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (snort3-server-webapp.rules)
 * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (snort3-server-webapp.rules)
 * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (snort3-server-webapp.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (snort3-server-webapp.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (snort3-server-webapp.rules)
 * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules)
 * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (snort3-malware-other.rules)
 * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (snort3-malware-cnc.rules)
 * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules)
 * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules)
 * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (snort3-indicator-compromise.rules)
 * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (snort3-malware-cnc.rules)
 * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (snort3-server-webapp.rules)
 * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (snort3-policy-other.rules)
 * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (snort3-malware-other.rules)
 * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (snort3-server-other.rules)
 * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (snort3-server-other.rules)
 * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (snort3-malware-cnc.rules)
 * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (snort3-malware-cnc.rules)
 * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (snort3-malware-cnc.rules)
 * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (snort3-policy-other.rules)
 * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (snort3-malware-cnc.rules)
 * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (snort3-server-other.rules)
 * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (snort3-indicator-compromise.rules)
 * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (snort3-indicator-compromise.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (snort3-server-webapp.rules)
 * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
 * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (snort3-policy-other.rules)
 * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)
 * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (snort3-server-webapp.rules)
 * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (snort3-server-webapp.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (snort3-server-other.rules)

2019-03-26 13:15:58 UTC

Snort Subscriber Rules Update

Date: 2019-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules)
 * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules)
 * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules)
 * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules)
 * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules)
 * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules)
 * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules)
 * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules)
 * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules)
 * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules)
 * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules)
 * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules)
 * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules)
 * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules)
 * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)

2019-03-26 13:15:58 UTC

Snort Subscriber Rules Update

Date: 2019-03-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49562 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49561 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49559 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49564 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49567 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49569 <-> ENABLED <-> MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt (malware-other.rules)
 * 1:49572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt (malware-cnc.rules)
 * 1:49570 <-> DISABLED <-> MALWARE-OTHER Windows Management Instrumentation manipulation attempt (malware-other.rules)
 * 1:49563 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49560 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49568 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt (malware-cnc.rules)
 * 1:49521 <-> DISABLED <-> POLICY-OTHER Sagem Fast Router default credentials login attempt (policy-other.rules)
 * 1:49522 <-> DISABLED <-> SERVER-WEBAPP Magecart infected page outbound request attempt (server-webapp.rules)
 * 1:49523 <-> DISABLED <-> SERVER-WEBAPP Zyxel ZyWALL information disclosure attempt (server-webapp.rules)
 * 1:49524 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49525 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49526 <-> DISABLED <-> SERVER-WEBAPP TPLink TD W8151N SQL injection attempt (server-webapp.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:49529 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49535 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49534 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49530 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49531 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49532 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner download attempt (indicator-compromise.rules)
 * 1:49533 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Yatron variant outbound connection (malware-cnc.rules)
 * 1:49538 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector command injection attempt (server-webapp.rules)
 * 1:49541 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin log file access attempt (policy-other.rules)
 * 1:49536 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Yatron payload download attempt (malware-other.rules)
 * 1:49537 <-> DISABLED <-> SERVER-WEBAPP elFinder PHP connector arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49539 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49540 <-> ENABLED <-> SERVER-OTHER WordPress wp_user_roles configuration change attempt (server-other.rules)
 * 1:49544 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt (malware-cnc.rules)
 * 1:49545 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AZORult variant payload download attempt (malware-cnc.rules)
 * 1:49549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49550 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt (malware-cnc.rules)
 * 1:49542 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings import attempt (policy-other.rules)
 * 1:49553 <-> DISABLED <-> MALWARE-CNC Win.Trojan.IcedID variant payload download attempt (malware-cnc.rules)
 * 1:49554 <-> DISABLED <-> SERVER-OTHER OpenMRS getExactPatients.action information disclosure attempt (server-other.rules)
 * 1:49555 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49556 <-> DISABLED <-> INDICATOR-COMPROMISE AutoBase Studio project remote code execution attempt (indicator-compromise.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:49558 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection (malware-cnc.rules)
 * 1:49565 <-> DISABLED <-> FILE-PDF Cool PDF Reader buffer overflow attempt (file-pdf.rules)
 * 1:49543 <-> DISABLED <-> POLICY-OTHER WordPress Easy WP SMTP plugin config settings export attempt (policy-other.rules)

Modified Rules:


 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:49257 <-> DISABLED <-> SERVER-WEBAPP Drupal Core 8 PHP object injection RCE attempt (server-webapp.rules)
 * 1:49282 <-> DISABLED <-> SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt (server-webapp.rules)