Talos Rules 2019-05-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-webkit, file-flash, file-other, file-pdf, indicator-compromise, malware-cnc, os-linux, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-05-28 19:25:21 UTC

Snort Subscriber Rules Update

Date: 2019-05-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules)
 * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules)
 * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules)
 * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules)
 * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules)
 * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)

Modified Rules:


 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
 * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)

2019-05-28 19:25:21 UTC

Snort Subscriber Rules Update

Date: 2019-05-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules)
 * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules)
 * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules)
 * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules)
 * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)

Modified Rules:


 * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
 * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)

2019-05-28 19:25:21 UTC

Snort Subscriber Rules Update

Date: 2019-05-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules)
 * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules)
 * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules)
 * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules)
 * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)

Modified Rules:


 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
 * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)

2019-05-28 19:25:21 UTC

Snort Subscriber Rules Update

Date: 2019-05-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (snort3-browser-webkit.rules)
 * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (snort3-policy-other.rules)
 * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (snort3-file-other.rules)
 * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (snort3-file-other.rules)
 * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (snort3-browser-webkit.rules)
 * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (snort3-policy-other.rules)
 * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (snort3-policy-other.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules)
 * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (snort3-malware-cnc.rules)
 * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (snort3-malware-cnc.rules)
 * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (snort3-indicator-compromise.rules)
 * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (snort3-malware-cnc.rules)
 * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (snort3-malware-cnc.rules)
 * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (snort3-os-windows.rules)
 * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (snort3-os-windows.rules)
 * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (snort3-file-other.rules)
 * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules)
 * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules)
 * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules)
 * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules)
 * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (snort3-os-linux.rules)
 * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (snort3-policy-other.rules)
 * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (snort3-policy-other.rules)
 * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (snort3-file-pdf.rules)
 * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (snort3-file-pdf.rules)
 * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules)
 * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (snort3-file-other.rules)
 * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (snort3-file-other.rules)

Modified Rules:


 * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (snort3-file-flash.rules)
 * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (snort3-file-flash.rules)
 * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (snort3-file-flash.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (snort3-server-webapp.rules)
 * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (snort3-file-flash.rules)

2019-05-28 19:25:21 UTC

Snort Subscriber Rules Update

Date: 2019-05-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules)
 * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules)
 * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules)
 * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules)
 * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)

Modified Rules:


 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
 * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)

2019-05-28 19:25:21 UTC

Snort Subscriber Rules Update

Date: 2019-05-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50225 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50235 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50226 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50228 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50229 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50227 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50231 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50191 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50192 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:50230 <-> ENABLED <-> FILE-OTHER Adobe Acrobat malformed font file use after free attempt (file-other.rules)
 * 1:50193 <-> DISABLED <-> POLICY-OTHER Intel AMT IDE Redirection session establishment attempt (policy-other.rules)
 * 1:50194 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50190 <-> DISABLED <-> OS-LINUX Debian apt remote code execution attempt (os-linux.rules)
 * 1:50219 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50215 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50211 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50224 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50221 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50222 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50207 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50220 <-> ENABLED <-> FILE-PDF Adobe Acrobat untrusted pointer dereference attempt (file-pdf.rules)
 * 1:50217 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50218 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver malicious executable download attempt (malware-cnc.rules)
 * 1:50203 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50216 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reaver variant outbound connection attempt (malware-cnc.rules)
 * 1:50213 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50214 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50212 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50209 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50210 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50208 <-> ENABLED <-> OS-WINDOWS Windows Installer bypass privilege escalation attempt (os-windows.rules)
 * 1:50205 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50206 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50204 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant outbound connection (malware-cnc.rules)
 * 1:50201 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50202 <-> DISABLED <-> INDICATOR-COMPROMISE Peppa Pig botnet outbound scan attempt (indicator-compromise.rules)
 * 1:50200 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remexi variant outbound connection (malware-cnc.rules)
 * 1:50197 <-> DISABLED <-> POLICY-OTHER Intel AMT WebUI configuration attempt (policy-other.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50233 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50232 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50195 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)
 * 1:50223 <-> ENABLED <-> FILE-OTHER Adobe Acrobat use after free attempt (file-other.rules)
 * 1:50234 <-> ENABLED <-> FILE-OTHER Adobe Acrobat type confusion attempt (file-other.rules)
 * 1:50196 <-> DISABLED <-> POLICY-OTHER Intel AMT KVM connection attempt (policy-other.rules)

Modified Rules:


 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:49583 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49584 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray inflate information disclosure attempt (file-flash.rules)
 * 1:49585 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)
 * 1:49586 <-> DISABLED <-> FILE-FLASH Adobe Flash Player byteArray uncompress information disclosure attempt (file-flash.rules)