Talos Rules 2019-04-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-other, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-04-02 13:15:15 UTC

Snort Subscriber Rules Update

Date: 2019-04-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49621 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49620 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49618 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49617 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49641 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49640 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49639 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49638 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49637 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49636 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49635 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49634 <-> DISABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49633 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49632 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49627 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49626 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49625 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49622 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49652 <-> DISABLED <-> SERVER-OTHER ipTime G104BE directory traversal attempt (server-other.rules)
 * 1:49651 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 1:49650 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 1:49647 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49646 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49645 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 3:49619 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)
 * 3:49648 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)
 * 3:49649 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:49114 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 1:49112 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 3:48949 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)
 * 3:48946 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48948 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48947 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)

2019-04-02 13:15:15 UTC

Snort Subscriber Rules Update

Date: 2019-04-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49645 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49620 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49618 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49621 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49652 <-> DISABLED <-> SERVER-OTHER ipTime G104BE directory traversal attempt (server-other.rules)
 * 1:49617 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49625 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49626 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49627 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49632 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49633 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49634 <-> DISABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49635 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49636 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49651 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 1:49650 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 1:49623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49646 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49647 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49622 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49637 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49638 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49639 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49640 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49641 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 3:49619 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)
 * 3:49648 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)
 * 3:49649 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:49114 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 1:49112 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 3:48946 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48949 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)
 * 3:48947 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48948 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)

2019-04-02 13:15:15 UTC

Snort Subscriber Rules Update

Date: 2019-04-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49650 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (snort3-file-pdf.rules)
 * 1:49623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (snort3-malware-cnc.rules)
 * 1:49617 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (snort3-file-other.rules)
 * 1:49620 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (snort3-server-webapp.rules)
 * 1:49647 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (snort3-server-webapp.rules)
 * 1:49624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (snort3-malware-cnc.rules)
 * 1:49625 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (snort3-malware-cnc.rules)
 * 1:49651 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (snort3-file-pdf.rules)
 * 1:49652 <-> DISABLED <-> SERVER-OTHER ipTime G104BE directory traversal attempt (snort3-server-other.rules)
 * 1:49618 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (snort3-file-other.rules)
 * 1:49637 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49621 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (snort3-server-webapp.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49632 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (snort3-server-other.rules)
 * 1:49633 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (snort3-server-other.rules)
 * 1:49634 <-> DISABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (snort3-server-other.rules)
 * 1:49635 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:49636 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49639 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49638 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:49641 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (snort3-file-pdf.rules)
 * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (snort3-server-webapp.rules)
 * 1:49645 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (snort3-server-webapp.rules)
 * 1:49646 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (snort3-server-webapp.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49626 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (snort3-browser-ie.rules)
 * 1:49627 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (snort3-browser-ie.rules)
 * 1:49622 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (snort3-server-webapp.rules)
 * 1:49640 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:49112 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (snort3-browser-other.rules)
 * 1:49114 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (snort3-browser-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (snort3-server-other.rules)

2019-04-02 13:15:15 UTC

Snort Subscriber Rules Update

Date: 2019-04-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49651 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 1:49640 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49652 <-> DISABLED <-> SERVER-OTHER ipTime G104BE directory traversal attempt (server-other.rules)
 * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49638 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49617 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49641 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49647 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49646 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49637 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49621 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49622 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49625 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49626 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49627 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49618 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49632 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49633 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49634 <-> DISABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49635 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49639 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49636 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49645 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49620 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49650 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 3:49619 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)
 * 3:49648 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)
 * 3:49649 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:49114 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 1:49112 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 3:48946 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48949 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)
 * 3:48947 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48948 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)

2019-04-02 13:15:15 UTC

Snort Subscriber Rules Update

Date: 2019-04-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49622 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49647 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49620 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49621 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess Dashboard directory traversal attempt (server-webapp.rules)
 * 1:49644 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49646 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49617 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49625 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49626 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49627 <-> ENABLED <-> BROWSER-IE Microsoft Edge resource entry same-origin-policy bypass attempt (browser-ie.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49632 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49633 <-> ENABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49645 <-> DISABLED <-> SERVER-WEBAPP Wordpress image edit directory traversal attempt (server-webapp.rules)
 * 1:49634 <-> DISABLED <-> SERVER-OTHER Atvise SCADA arbitrary file disclosure attempt (server-other.rules)
 * 1:49635 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple Showtime2 Module arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49636 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49637 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49638 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49639 <-> DISABLED <-> BROWSER-PLUGINS Foscam IPCWebComponents ActiveX clsid access attempt (browser-plugins.rules)
 * 1:49652 <-> DISABLED <-> SERVER-OTHER ipTime G104BE directory traversal attempt (server-other.rules)
 * 1:49624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redaman outbound connection (malware-cnc.rules)
 * 1:49640 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49618 <-> ENABLED <-> FILE-OTHER Unix systemd-journald memory corruption attempt (file-other.rules)
 * 1:49650 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 1:49643 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 1:49651 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF printWithParams use-after-free attempt (file-pdf.rules)
 * 1:49641 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF use-after-free attempt (file-pdf.rules)
 * 1:49642 <-> DISABLED <-> SERVER-WEBAPP Softneta MedDream PACS Server Premium directory traversal attempt (server-webapp.rules)
 * 3:49619 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)
 * 3:49648 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)
 * 3:49649 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0793 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:49114 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 1:49112 <-> DISABLED <-> BROWSER-OTHER Opera GIF parsing buffer underflow attempt (browser-other.rules)
 * 1:49458 <-> ENABLED <-> SERVER-OTHER PHP webshell upload attempt (server-other.rules)
 * 3:48948 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48946 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48947 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers command injection attempt (server-webapp.rules)
 * 3:48949 <-> ENABLED <-> SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt (server-webapp.rules)