Talos Rules 2019-08-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, browser-webkit, file-identify, file-multimedia, file-other, indicator-shellcode, malware-cnc, policy-other, protocol-dns, protocol-other, server-iis, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-08 12:27:17 UTC

Snort Subscriber Rules Update

Date: 2019-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules)
 * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules)
 * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules)
 * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules)
 * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules)
 * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules)
 * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)
 * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules)

Modified Rules:


 * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules)
 * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules)
 * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules)
 * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules)
 * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules)
 * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules)
 * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules)
 * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules)
 * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules)
 * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules)
 * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules)
 * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules)
 * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules)
 * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules)
 * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules)
 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules)
 * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

2019-08-08 12:27:17 UTC

Snort Subscriber Rules Update

Date: 2019-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules)
 * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules)
 * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules)
 * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules)
 * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules)
 * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules)
 * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)

Modified Rules:


 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules)
 * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules)
 * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules)
 * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules)
 * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules)
 * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules)
 * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules)
 * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules)
 * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules)
 * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules)
 * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules)
 * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules)
 * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules)
 * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules)
 * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules)
 * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules)
 * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

2019-08-08 12:27:17 UTC

Snort Subscriber Rules Update

Date: 2019-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules)
 * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules)
 * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules)
 * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules)
 * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules)
 * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules)
 * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)
 * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules)
 * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules)
 * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules)
 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules)
 * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules)
 * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules)
 * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules)
 * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules)
 * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules)
 * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules)
 * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules)
 * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules)
 * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules)
 * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules)
 * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

2019-08-08 12:27:17 UTC

Snort Subscriber Rules Update

Date: 2019-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules)
 * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules)
 * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules)
 * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules)
 * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules)
 * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules)
 * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules)
 * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)

Modified Rules:


 * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules)
 * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules)
 * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules)
 * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules)
 * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules)
 * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules)
 * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules)
 * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules)
 * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules)
 * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules)
 * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules)
 * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules)
 * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules)
 * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules)
 * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

2019-08-08 12:27:17 UTC

Snort Subscriber Rules Update

Date: 2019-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (snort3-server-other.rules)
 * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules)
 * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (snort3-server-other.rules)
 * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (snort3-server-other.rules)
 * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (snort3-server-webapp.rules)
 * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (snort3-server-webapp.rules)
 * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (snort3-server-webapp.rules)
 * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules)
 * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules)
 * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules)
 * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules)
 * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules)
 * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules)
 * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (snort3-server-webapp.rules)
 * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (snort3-server-webapp.rules)
 * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (snort3-server-webapp.rules)
 * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules)
 * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules)
 * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (snort3-protocol-other.rules)
 * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (snort3-malware-cnc.rules)
 * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (snort3-malware-cnc.rules)
 * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (snort3-file-other.rules)

Modified Rules:


 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (snort3-file-identify.rules)
 * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (snort3-server-iis.rules)
 * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (snort3-browser-plugins.rules)
 * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (snort3-protocol-dns.rules)
 * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (snort3-browser-plugins.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (snort3-file-multimedia.rules)
 * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (snort3-browser-plugins.rules)
 * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules)
 * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules)
 * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (snort3-server-iis.rules)
 * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules)
 * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (snort3-browser-plugins.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (snort3-malware-cnc.rules)
 * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (snort3-indicator-shellcode.rules)
 * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (snort3-browser-plugins.rules)
 * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (snort3-browser-plugins.rules)
 * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (snort3-indicator-shellcode.rules)
 * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (snort3-protocol-dns.rules)
 * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (snort3-policy-other.rules)
 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (snort3-server-mail.rules)
 * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules)
 * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (snort3-browser-plugins.rules)
 * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (snort3-browser-webkit.rules)
 * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (snort3-protocol-dns.rules)
 * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (snort3-policy-other.rules)
 * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (snort3-browser-plugins.rules)
 * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (snort3-server-iis.rules)

2019-08-08 12:27:17 UTC

Snort Subscriber Rules Update

Date: 2019-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules)
 * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules)
 * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules)
 * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules)
 * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)
 * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules)
 * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules)
 * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules)
 * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules)
 * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules)
 * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules)
 * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules)
 * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules)
 * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules)
 * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules)
 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules)
 * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules)
 * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules)
 * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules)
 * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules)
 * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules)
 * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules)
 * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules)
 * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)

2019-08-08 12:27:17 UTC

Snort Subscriber Rules Update

Date: 2019-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50915 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50931 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50919 <-> DISABLED <-> SERVER-OTHER Novell Open Enterprise Server 2 HTTPSTK service denial-of-service attempt (server-other.rules)
 * 1:50930 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50921 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50916 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50918 <-> DISABLED <-> SERVER-WEBAPP Git client path validation command execution attempt (server-webapp.rules)
 * 1:50933 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50913 <-> DISABLED <-> SERVER-OTHER nfs-utils TCP connection termination denial-of-service attempt (server-other.rules)
 * 1:50934 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection to a known URI path (malware-cnc.rules)
 * 1:50923 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50924 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50914 <-> DISABLED <-> SERVER-OTHER Blue Coat BCAAA buffer overflow attempt (server-other.rules)
 * 1:50926 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50912 <-> DISABLED <-> SERVER-WEBAPP Subsonic Subscribe to Podcast cross site scripting attempt (server-webapp.rules)
 * 1:50917 <-> DISABLED <-> SERVER-WEBAPP Belkin N150 abitrary file read attempt (server-webapp.rules)
 * 1:50928 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50935 <-> ENABLED <-> MALWARE-CNC Win.Malware.Lookback outbound connection (malware-cnc.rules)
 * 1:50910 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50929 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50922 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50925 <-> DISABLED <-> SERVER-WEBAPP Oracle 9i Application Server OWA_UTIL information disclosure attempt (server-webapp.rules)
 * 1:50932 <-> DISABLED <-> PROTOCOL-OTHER MQTT Client ID ACL Bypass attempt (protocol-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50927 <-> DISABLED <-> FILE-OTHER tcpdump SLIP invalid direction out of bound read attempt (file-other.rules)
 * 1:50911 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 3:50909 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0883 attack attempt (server-other.rules)
 * 3:50904 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50906 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50908 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0885 attack attempt (server-other.rules)
 * 3:50902 <-> ENABLED <-> POLICY-OTHER Cisco ASA running configuration download request detected (policy-other.rules)
 * 3:50905 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50907 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:7018 <-> DISABLED <-> BROWSER-PLUGINS Sysmon ActiveX function call access (browser-plugins.rules)
 * 1:17160 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio LtXmlComHelp8.dll ActiveX control access (browser-plugins.rules)
 * 1:977 <-> DISABLED <-> SERVER-IIS .cnf access (server-iis.rules)
 * 1:42372 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:7005 <-> DISABLED <-> BROWSER-PLUGINS OutlookExpress.AddressBook ActiveX function call access (browser-plugins.rules)
 * 1:1446 <-> DISABLED <-> SERVER-MAIL vrfy root (server-mail.rules)
 * 1:1435 <-> DISABLED <-> PROTOCOL-DNS named authors attempt (protocol-dns.rules)
 * 1:7010 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper.1 ActiveX function call access (browser-plugins.rules)
 * 1:649 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setgid 0 (indicator-shellcode.rules)
 * 1:7007 <-> DISABLED <-> BROWSER-PLUGINS AxDebugger.Document.1 ActiveX function call access (browser-plugins.rules)
 * 1:7011 <-> DISABLED <-> BROWSER-PLUGINS HtmlDlgSafeHelper.HtmlDlgSafeHelper ActiveX function call access (browser-plugins.rules)
 * 1:7012 <-> DISABLED <-> BROWSER-PLUGINS Internet.PopupMenu.1 ActiveX function call access (browser-plugins.rules)
 * 1:37732 <-> ENABLED <-> POLICY-OTHER eicar test string download attempt (policy-other.rules)
 * 1:650 <-> DISABLED <-> INDICATOR-SHELLCODE x86 setuid 0 (indicator-shellcode.rules)
 * 1:255 <-> DISABLED <-> PROTOCOL-DNS dns zone transfer via TCP detected (protocol-dns.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:1402 <-> DISABLED <-> SERVER-IIS iissamples access (server-iis.rules)
 * 1:42374 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:17161 <-> DISABLED <-> BROWSER-PLUGINS Liquid XML Studio ActiveX clsid access (browser-plugins.rules)
 * 1:5714 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari x-unix-mode executable mail attachment (browser-webkit.rules)
 * 1:7016 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Object.Microsoft.DXTFilter ActiveX function call access (browser-plugins.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:42375 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:1009 <-> DISABLED <-> SERVER-IIS directory listing (server-iis.rules)
 * 1:42373 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:42376 <-> ENABLED <-> POLICY-OTHER eicar file detected (policy-other.rules)
 * 1:257 <-> DISABLED <-> PROTOCOL-DNS named version attempt (protocol-dns.rules)
 * 3:48958 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:48959 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50899 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0882 attack attempt (server-other.rules)