Talos Rules 2019-07-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-other, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-imap, protocol-nntp, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-telnet, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)

Modified Rules:


 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (snort3-malware-other.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (snort3-malware-other.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (snort3-malware-cnc.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (snort3-malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (snort3-file-image.rules)

Modified Rules:


 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (snort3-os-windows.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (snort3-browser-plugins.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (snort3-server-other.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (snort3-protocol-services.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (snort3-malware-other.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (snort3-browser-plugins.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (snort3-server-other.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (snort3-file-multimedia.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (snort3-server-iis.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (snort3-server-mssql.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (snort3-server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (snort3-server-webapp.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (snort3-malware-other.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (snort3-file-multimedia.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (snort3-server-other.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (snort3-server-webapp.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (snort3-server-mssql.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (snort3-server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (snort3-server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (snort3-server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (snort3-server-iis.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (snort3-os-windows.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (snort3-file-identify.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (snort3-os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (snort3-protocol-ftp.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (snort3-browser-plugins.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (snort3-browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (snort3-server-other.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (snort3-os-windows.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (snort3-server-other.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (snort3-os-windows.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (snort3-protocol-ftp.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (snort3-server-other.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (snort3-server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (snort3-server-mysql.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (snort3-os-windows.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (snort3-server-mysql.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (snort3-browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (snort3-server-oracle.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (snort3-os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (snort3-file-multimedia.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (snort3-os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (snort3-os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (snort3-os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (snort3-protocol-telnet.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (snort3-os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (snort3-os-windows.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (snort3-server-other.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (snort3-os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (snort3-server-other.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (snort3-protocol-telnet.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (snort3-protocol-dns.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (snort3-server-other.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (snort3-server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (snort3-protocol-nntp.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (snort3-server-other.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (snort3-os-windows.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (snort3-server-oracle.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (snort3-protocol-dns.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (snort3-server-webapp.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (snort3-os-windows.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (snort3-file-other.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (snort3-server-other.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (snort3-server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (snort3-server-other.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (snort3-server-webapp.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (snort3-os-windows.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (snort3-server-other.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (snort3-server-mail.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (snort3-server-webapp.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (snort3-sql.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (snort3-server-iis.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (snort3-protocol-rpc.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (snort3-protocol-rpc.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (snort3-server-webapp.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (snort3-server-mssql.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (snort3-server-webapp.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (snort3-sql.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (snort3-protocol-snmp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (snort3-server-webapp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (snort3-server-iis.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (snort3-server-webapp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (snort3-protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (snort3-protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (snort3-protocol-snmp.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (snort3-protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (snort3-protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (snort3-protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (snort3-protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (snort3-protocol-snmp.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (snort3-server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (snort3-os-windows.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (snort3-server-other.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (snort3-protocol-telnet.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (snort3-server-mysql.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (snort3-browser-plugins.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (snort3-server-mysql.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (snort3-protocol-imap.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (snort3-server-webapp.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (snort3-protocol-telnet.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (snort3-file-pdf.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (snort3-server-other.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (snort3-server-webapp.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (snort3-indicator-compromise.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (snort3-file-other.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (snort3-indicator-compromise.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (snort3-file-office.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (snort3-file-office.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (snort3-protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (snort3-protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (snort3-protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (snort3-protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (snort3-browser-ie.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (snort3-malware-other.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (snort3-browser-plugins.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)

Modified Rules:


 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)

Modified Rules:


 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)