Talos Rules 2019-04-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-office, file-other, policy-other, protocol-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)

Modified Rules:


 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (snort3-browser-ie.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (snort3-browser-ie.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (snort3-file-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (snort3-server-other.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (snort3-file-other.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (snort3-browser-ie.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (snort3-browser-ie.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (snort3-policy-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (snort3-file-other.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (snort3-file-other.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (snort3-server-webapp.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (snort3-browser-plugins.rules)

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)

Modified Rules:


 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)