Talos Rules 2019-08-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other, protocol-scada, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-15 14:12:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51040 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:51023 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51022 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51021 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51020 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:51019 <-> DISABLED <-> SERVER-OTHER Tiny HTTP server head request denial of service attempt (server-other.rules)
 * 1:51018 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:51039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules)
 * 1:51038 <-> DISABLED <-> BROWSER-IE Microsoft XML core services cross-domain information disclosure attempt (browser-ie.rules)
 * 1:51037 <-> DISABLED <-> POLICY-OTHER IGMP membership query attempt (policy-other.rules)
 * 1:51036 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51035 <-> DISABLED <-> POLICY-OTHER IP option strict source routing attempt (policy-other.rules)
 * 1:51034 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51033 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker file download attempt (malware-cnc.rules)
 * 1:51032 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51031 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51030 <-> DISABLED <-> PROTOCOL-SCADA Sielco Sistemi Winlog Lite buffer overflow attempt (protocol-scada.rules)
 * 1:51029 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51028 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51027 <-> DISABLED <-> SERVER-OTHER Novell iManager ASN.1 client hello parsing denial of service attempt  (server-other.rules)
 * 1:51026 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51025 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51024 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file attachment detected (file-identify.rules)
 * 1:51046 <-> DISABLED <-> SERVER-OTHER PostgreSQL interval stack buffer overflow attempt (server-other.rules)
 * 1:51043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:51041 <-> DISABLED <-> SERVER-OTHER LCDproc Server test_func_func stack buffer overflow attempt (server-other.rules)
 * 1:51045 <-> DISABLED <-> SERVER-OTHER Netatalk attn_quantum authentication bypass attempt (server-other.rules)
 * 1:51044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51047 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51050 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51049 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51048 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51052 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51051 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51053 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51069 <-> DISABLED <-> POLICY-OTHER DHCP broadcast address offer attempt (policy-other.rules)
 * 1:51068 <-> DISABLED <-> POLICY-OTHER DHCP multicast address offer attempt (policy-other.rules)
 * 1:51067 <-> DISABLED <-> POLICY-OTHER DHCP loopback address offer attempt (policy-other.rules)
 * 1:51066 <-> DISABLED <-> POLICY-OTHER TCP SYN packet and URG set attempt (policy-other.rules)
 * 1:51065 <-> DISABLED <-> POLICY-OTHER TCP FIN packet and URG set attempt (policy-other.rules)
 * 1:51064 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51063 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51060 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51058 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51057 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51056 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51055 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51054 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)

Modified Rules:


 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:24483 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:24484 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:29871 <-> DISABLED <-> SERVER-ORACLE Oracle Reports server remote code execution attempt (server-oracle.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:49122 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49123 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49124 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49125 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)

2019-08-15 14:12:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51024 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file attachment detected (file-identify.rules)
 * 1:51029 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51032 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51025 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51018 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:51019 <-> DISABLED <-> SERVER-OTHER Tiny HTTP server head request denial of service attempt (server-other.rules)
 * 1:51020 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:51021 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51023 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51028 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51026 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51022 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51031 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51045 <-> DISABLED <-> SERVER-OTHER Netatalk attn_quantum authentication bypass attempt (server-other.rules)
 * 1:51046 <-> DISABLED <-> SERVER-OTHER PostgreSQL interval stack buffer overflow attempt (server-other.rules)
 * 1:51047 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51030 <-> DISABLED <-> PROTOCOL-SCADA Sielco Sistemi Winlog Lite buffer overflow attempt (protocol-scada.rules)
 * 1:51037 <-> DISABLED <-> POLICY-OTHER IGMP membership query attempt (policy-other.rules)
 * 1:51048 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51049 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51050 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51051 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51052 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51053 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51054 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51055 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51056 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51057 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51038 <-> DISABLED <-> BROWSER-IE Microsoft XML core services cross-domain information disclosure attempt (browser-ie.rules)
 * 1:51058 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51060 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51069 <-> DISABLED <-> POLICY-OTHER DHCP broadcast address offer attempt (policy-other.rules)
 * 1:51068 <-> DISABLED <-> POLICY-OTHER DHCP multicast address offer attempt (policy-other.rules)
 * 1:51067 <-> DISABLED <-> POLICY-OTHER DHCP loopback address offer attempt (policy-other.rules)
 * 1:51066 <-> DISABLED <-> POLICY-OTHER TCP SYN packet and URG set attempt (policy-other.rules)
 * 1:51065 <-> DISABLED <-> POLICY-OTHER TCP FIN packet and URG set attempt (policy-other.rules)
 * 1:51064 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51063 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51040 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:51039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51035 <-> DISABLED <-> POLICY-OTHER IP option strict source routing attempt (policy-other.rules)
 * 1:51036 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51033 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker file download attempt (malware-cnc.rules)
 * 1:51034 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51041 <-> DISABLED <-> SERVER-OTHER LCDproc Server test_func_func stack buffer overflow attempt (server-other.rules)
 * 1:51027 <-> DISABLED <-> SERVER-OTHER Novell iManager ASN.1 client hello parsing denial of service attempt  (server-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29871 <-> DISABLED <-> SERVER-ORACLE Oracle Reports server remote code execution attempt (server-oracle.rules)
 * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49123 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:49122 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49124 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49125 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:24484 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:24483 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)

2019-08-15 14:12:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51025 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51029 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51058 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51069 <-> DISABLED <-> POLICY-OTHER DHCP broadcast address offer attempt (policy-other.rules)
 * 1:51068 <-> DISABLED <-> POLICY-OTHER DHCP multicast address offer attempt (policy-other.rules)
 * 1:51067 <-> DISABLED <-> POLICY-OTHER DHCP loopback address offer attempt (policy-other.rules)
 * 1:51066 <-> DISABLED <-> POLICY-OTHER TCP SYN packet and URG set attempt (policy-other.rules)
 * 1:51065 <-> DISABLED <-> POLICY-OTHER TCP FIN packet and URG set attempt (policy-other.rules)
 * 1:51064 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51030 <-> DISABLED <-> PROTOCOL-SCADA Sielco Sistemi Winlog Lite buffer overflow attempt (protocol-scada.rules)
 * 1:51063 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51037 <-> DISABLED <-> POLICY-OTHER IGMP membership query attempt (policy-other.rules)
 * 1:51043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51045 <-> DISABLED <-> SERVER-OTHER Netatalk attn_quantum authentication bypass attempt (server-other.rules)
 * 1:51024 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file attachment detected (file-identify.rules)
 * 1:51046 <-> DISABLED <-> SERVER-OTHER PostgreSQL interval stack buffer overflow attempt (server-other.rules)
 * 1:51047 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51048 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51049 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51050 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51051 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51052 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51032 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51053 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51040 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:51039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51036 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51034 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51035 <-> DISABLED <-> POLICY-OTHER IP option strict source routing attempt (policy-other.rules)
 * 1:51033 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker file download attempt (malware-cnc.rules)
 * 1:51041 <-> DISABLED <-> SERVER-OTHER LCDproc Server test_func_func stack buffer overflow attempt (server-other.rules)
 * 1:51027 <-> DISABLED <-> SERVER-OTHER Novell iManager ASN.1 client hello parsing denial of service attempt  (server-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:51054 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51055 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51056 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51026 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51057 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51038 <-> DISABLED <-> BROWSER-IE Microsoft XML core services cross-domain information disclosure attempt (browser-ie.rules)
 * 1:51028 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51022 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51021 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51019 <-> DISABLED <-> SERVER-OTHER Tiny HTTP server head request denial of service attempt (server-other.rules)
 * 1:51020 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:51023 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51018 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:51060 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51031 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:24483 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:24484 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:29871 <-> DISABLED <-> SERVER-ORACLE Oracle Reports server remote code execution attempt (server-oracle.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:49122 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:49124 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49125 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49123 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)

2019-08-15 14:12:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51023 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51024 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file attachment detected (file-identify.rules)
 * 1:51025 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51021 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51032 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51031 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51037 <-> DISABLED <-> POLICY-OTHER IGMP membership query attempt (policy-other.rules)
 * 1:51030 <-> DISABLED <-> PROTOCOL-SCADA Sielco Sistemi Winlog Lite buffer overflow attempt (protocol-scada.rules)
 * 1:51063 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51064 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51065 <-> DISABLED <-> POLICY-OTHER TCP FIN packet and URG set attempt (policy-other.rules)
 * 1:51066 <-> DISABLED <-> POLICY-OTHER TCP SYN packet and URG set attempt (policy-other.rules)
 * 1:51067 <-> DISABLED <-> POLICY-OTHER DHCP loopback address offer attempt (policy-other.rules)
 * 1:51068 <-> DISABLED <-> POLICY-OTHER DHCP multicast address offer attempt (policy-other.rules)
 * 1:51069 <-> DISABLED <-> POLICY-OTHER DHCP broadcast address offer attempt (policy-other.rules)
 * 1:51026 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51060 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51057 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51058 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51036 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51035 <-> DISABLED <-> POLICY-OTHER IP option strict source routing attempt (policy-other.rules)
 * 1:51034 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51033 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker file download attempt (malware-cnc.rules)
 * 1:51043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51045 <-> DISABLED <-> SERVER-OTHER Netatalk attn_quantum authentication bypass attempt (server-other.rules)
 * 1:51027 <-> DISABLED <-> SERVER-OTHER Novell iManager ASN.1 client hello parsing denial of service attempt  (server-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:51041 <-> DISABLED <-> SERVER-OTHER LCDproc Server test_func_func stack buffer overflow attempt (server-other.rules)
 * 1:51040 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:51039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules)
 * 1:51046 <-> DISABLED <-> SERVER-OTHER PostgreSQL interval stack buffer overflow attempt (server-other.rules)
 * 1:51047 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51048 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51029 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51028 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51019 <-> DISABLED <-> SERVER-OTHER Tiny HTTP server head request denial of service attempt (server-other.rules)
 * 1:51020 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:51018 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:51022 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51049 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51050 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51051 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51052 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51053 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51054 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51055 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51056 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51038 <-> DISABLED <-> BROWSER-IE Microsoft XML core services cross-domain information disclosure attempt (browser-ie.rules)

Modified Rules:


 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:24483 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:29871 <-> DISABLED <-> SERVER-ORACLE Oracle Reports server remote code execution attempt (server-oracle.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:49122 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49123 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49124 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49125 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:24484 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)

2019-08-15 14:12:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51024 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file attachment detected (snort3-file-identify.rules)
 * 1:51025 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (snort3-file-pdf.rules)
 * 1:51032 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51019 <-> DISABLED <-> SERVER-OTHER Tiny HTTP server head request denial of service attempt (snort3-server-other.rules)
 * 1:51037 <-> DISABLED <-> POLICY-OTHER IGMP membership query attempt (snort3-policy-other.rules)
 * 1:51030 <-> DISABLED <-> PROTOCOL-SCADA Sielco Sistemi Winlog Lite buffer overflow attempt (snort3-protocol-scada.rules)
 * 1:51064 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (snort3-file-office.rules)
 * 1:51065 <-> DISABLED <-> POLICY-OTHER TCP FIN packet and URG set attempt (snort3-policy-other.rules)
 * 1:51066 <-> DISABLED <-> POLICY-OTHER TCP SYN packet and URG set attempt (snort3-policy-other.rules)
 * 1:51067 <-> DISABLED <-> POLICY-OTHER DHCP loopback address offer attempt (snort3-policy-other.rules)
 * 1:51068 <-> DISABLED <-> POLICY-OTHER DHCP multicast address offer attempt (snort3-policy-other.rules)
 * 1:51069 <-> DISABLED <-> POLICY-OTHER DHCP broadcast address offer attempt (snort3-policy-other.rules)
 * 1:51031 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51018 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (snort3-server-other.rules)
 * 1:51022 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (snort3-server-webapp.rules)
 * 1:51026 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (snort3-file-pdf.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (snort3-server-other.rules)
 * 1:51027 <-> DISABLED <-> SERVER-OTHER Novell iManager ASN.1 client hello parsing denial of service attempt  (snort3-server-other.rules)
 * 1:51041 <-> DISABLED <-> SERVER-OTHER LCDproc Server test_func_func stack buffer overflow attempt (snort3-server-other.rules)
 * 1:51040 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:51039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (snort3-os-windows.rules)
 * 1:51036 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (snort3-policy-other.rules)
 * 1:51034 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (snort3-policy-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (snort3-file-office.rules)
 * 1:51035 <-> DISABLED <-> POLICY-OTHER IP option strict source routing attempt (snort3-policy-other.rules)
 * 1:51033 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker file download attempt (snort3-malware-cnc.rules)
 * 1:51058 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51060 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (snort3-file-office.rules)
 * 1:51020 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (snort3-server-webapp.rules)
 * 1:51059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (snort3-file-office.rules)
 * 1:51057 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51028 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (snort3-os-windows.rules)
 * 1:51043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (snort3-malware-cnc.rules)
 * 1:51044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (snort3-malware-cnc.rules)
 * 1:51045 <-> DISABLED <-> SERVER-OTHER Netatalk attn_quantum authentication bypass attempt (snort3-server-other.rules)
 * 1:51046 <-> DISABLED <-> SERVER-OTHER PostgreSQL interval stack buffer overflow attempt (snort3-server-other.rules)
 * 1:51047 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51048 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51049 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51050 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51051 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51052 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51053 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51054 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51055 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51056 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (snort3-file-other.rules)
 * 1:51038 <-> DISABLED <-> BROWSER-IE Microsoft XML core services cross-domain information disclosure attempt (snort3-browser-ie.rules)
 * 1:51021 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (snort3-server-webapp.rules)
 * 1:51023 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (snort3-server-webapp.rules)
 * 1:51063 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:51029 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:49124 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (snort3-server-other.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (snort3-server-webapp.rules)
 * 1:49123 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:24483 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (snort3-file-identify.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:24484 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (snort3-file-identify.rules)
 * 1:29871 <-> DISABLED <-> SERVER-ORACLE Oracle Reports server remote code execution attempt (snort3-server-oracle.rules)
 * 1:49125 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (snort3-server-webapp.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:49122 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)
 * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (snort3-file-image.rules)

2019-08-15 14:12:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51028 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51025 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51029 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51030 <-> DISABLED <-> PROTOCOL-SCADA Sielco Sistemi Winlog Lite buffer overflow attempt (protocol-scada.rules)
 * 1:51063 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51064 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51065 <-> DISABLED <-> POLICY-OTHER TCP FIN packet and URG set attempt (policy-other.rules)
 * 1:51031 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51066 <-> DISABLED <-> POLICY-OTHER TCP SYN packet and URG set attempt (policy-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51034 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51035 <-> DISABLED <-> POLICY-OTHER IP option strict source routing attempt (policy-other.rules)
 * 1:51033 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker file download attempt (malware-cnc.rules)
 * 1:51067 <-> DISABLED <-> POLICY-OTHER DHCP loopback address offer attempt (policy-other.rules)
 * 1:51032 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51060 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:51027 <-> DISABLED <-> SERVER-OTHER Novell iManager ASN.1 client hello parsing denial of service attempt  (server-other.rules)
 * 1:51041 <-> DISABLED <-> SERVER-OTHER LCDproc Server test_func_func stack buffer overflow attempt (server-other.rules)
 * 1:51040 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:51039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules)
 * 1:51036 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51068 <-> DISABLED <-> POLICY-OTHER DHCP multicast address offer attempt (policy-other.rules)
 * 1:51069 <-> DISABLED <-> POLICY-OTHER DHCP broadcast address offer attempt (policy-other.rules)
 * 1:51026 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51024 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file attachment detected (file-identify.rules)
 * 1:51023 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51018 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:51019 <-> DISABLED <-> SERVER-OTHER Tiny HTTP server head request denial of service attempt (server-other.rules)
 * 1:51058 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51022 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51020 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:51059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51045 <-> DISABLED <-> SERVER-OTHER Netatalk attn_quantum authentication bypass attempt (server-other.rules)
 * 1:51046 <-> DISABLED <-> SERVER-OTHER PostgreSQL interval stack buffer overflow attempt (server-other.rules)
 * 1:51047 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51048 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51049 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51050 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51051 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51052 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51053 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51054 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51055 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51037 <-> DISABLED <-> POLICY-OTHER IGMP membership query attempt (policy-other.rules)
 * 1:51056 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51038 <-> DISABLED <-> BROWSER-IE Microsoft XML core services cross-domain information disclosure attempt (browser-ie.rules)
 * 1:51057 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51021 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:49124 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:24483 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:49123 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:29871 <-> DISABLED <-> SERVER-ORACLE Oracle Reports server remote code execution attempt (server-oracle.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:49125 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:49122 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:24484 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)

2019-08-15 14:12:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51028 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51032 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51025 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51022 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51023 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51031 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:51029 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Object Packager ClickOnce object remote code execution attempt (os-windows.rules)
 * 1:51063 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51037 <-> DISABLED <-> POLICY-OTHER IGMP membership query attempt (policy-other.rules)
 * 1:51030 <-> DISABLED <-> PROTOCOL-SCADA Sielco Sistemi Winlog Lite buffer overflow attempt (protocol-scada.rules)
 * 1:51064 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:51065 <-> DISABLED <-> POLICY-OTHER TCP FIN packet and URG set attempt (policy-other.rules)
 * 1:51066 <-> DISABLED <-> POLICY-OTHER TCP SYN packet and URG set attempt (policy-other.rules)
 * 1:51067 <-> DISABLED <-> POLICY-OTHER DHCP loopback address offer attempt (policy-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:51068 <-> DISABLED <-> POLICY-OTHER DHCP multicast address offer attempt (policy-other.rules)
 * 1:51069 <-> DISABLED <-> POLICY-OTHER DHCP broadcast address offer attempt (policy-other.rules)
 * 1:51041 <-> DISABLED <-> SERVER-OTHER LCDproc Server test_func_func stack buffer overflow attempt (server-other.rules)
 * 1:51027 <-> DISABLED <-> SERVER-OTHER Novell iManager ASN.1 client hello parsing denial of service attempt  (server-other.rules)
 * 1:51039 <-> DISABLED <-> OS-WINDOWS Microsoft Windows OLE32 MSHTA masquerade attempt (os-windows.rules)
 * 1:51040 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:51060 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51033 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker file download attempt (malware-cnc.rules)
 * 1:51035 <-> DISABLED <-> POLICY-OTHER IP option strict source routing attempt (policy-other.rules)
 * 1:51021 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess directory traversal attempt (server-webapp.rules)
 * 1:51018 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:51036 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51034 <-> DISABLED <-> POLICY-OTHER IP option loose source routing attempt (policy-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51019 <-> DISABLED <-> SERVER-OTHER Tiny HTTP server head request denial of service attempt (server-other.rules)
 * 1:51026 <-> DISABLED <-> FILE-PDF Adobe Reader SFNT out of bounds memory read attempt (file-pdf.rules)
 * 1:51057 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51058 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51043 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lazarus variant outbound connection (malware-cnc.rules)
 * 1:51045 <-> DISABLED <-> SERVER-OTHER Netatalk attn_quantum authentication bypass attempt (server-other.rules)
 * 1:51024 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file attachment detected (file-identify.rules)
 * 1:51046 <-> DISABLED <-> SERVER-OTHER PostgreSQL interval stack buffer overflow attempt (server-other.rules)
 * 1:51047 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51020 <-> DISABLED <-> SERVER-WEBAPP XStream void primitive denial of service attempt (server-webapp.rules)
 * 1:51048 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51049 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51050 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51051 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51052 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51053 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51054 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51055 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51056 <-> DISABLED <-> FILE-OTHER Gitlab directory traversal attempt (file-other.rules)
 * 1:51038 <-> DISABLED <-> BROWSER-IE Microsoft XML core services cross-domain information disclosure attempt (browser-ie.rules)
 * 1:51059 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)

Modified Rules:


 * 1:24484 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:49292 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:49557 <-> ENABLED <-> SERVER-WEBAPP Apache Solr jmx.serviceUrl remote code execution attempt (server-webapp.rules)
 * 1:50444 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:24483 <-> ENABLED <-> FILE-IDENTIFY Embedded Open Type Font file magic detected (file-identify.rules)
 * 1:40482 <-> DISABLED <-> SERVER-OTHER Memcached SASL auth opcode request heap buffer overflow attempt (server-other.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:46375 <-> DISABLED <-> SERVER-OTHER DualDesk v20 Proxy.exe long string denial of service attempt (server-other.rules)
 * 1:49122 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49124 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49125 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49291 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:50441 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:49123 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:50442 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)
 * 1:29871 <-> DISABLED <-> SERVER-ORACLE Oracle Reports server remote code execution attempt (server-oracle.rules)
 * 1:50443 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat TIFF heap buffer overflow attempt (file-image.rules)