Talos Rules 2019-09-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-flash, indicator-compromise, indicator-obfuscation, malware-cnc, os-windows, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-09-26 12:01:41 UTC

Snort Subscriber Rules Update

Date: 2019-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules)
 * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules)
 * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules)
 * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules)
 * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules)
 * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules)
 * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules)
 * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules)
 * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules)
 * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules)
 * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules)
 * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules)
 * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules)
 * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2019-09-26 12:01:41 UTC

Snort Subscriber Rules Update

Date: 2019-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules)
 * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules)
 * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules)
 * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules)
 * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules)
 * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules)
 * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules)
 * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules)
 * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules)
 * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules)
 * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules)
 * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules)
 * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules)
 * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2019-09-26 12:01:41 UTC

Snort Subscriber Rules Update

Date: 2019-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules)
 * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules)
 * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules)
 * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules)
 * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules)
 * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules)
 * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules)
 * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules)
 * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules)
 * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules)
 * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules)
 * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules)
 * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules)
 * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2019-09-26 12:01:41 UTC

Snort Subscriber Rules Update

Date: 2019-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules)
 * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules)
 * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules)
 * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules)
 * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules)
 * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules)
 * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules)
 * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules)
 * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules)
 * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules)
 * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2019-09-26 12:01:41 UTC

Snort Subscriber Rules Update

Date: 2019-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (snort3-file-flash.rules)
 * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (snort3-server-webapp.rules)
 * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (snort3-file-flash.rules)
 * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (snort3-file-flash.rules)
 * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (snort3-policy-other.rules)
 * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (snort3-server-webapp.rules)
 * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (snort3-malware-cnc.rules)
 * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (snort3-server-webapp.rules)
 * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (snort3-server-other.rules)
 * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (snort3-server-other.rules)
 * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (snort3-exploit-kit.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (snort3-exploit-kit.rules)
 * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (snort3-server-webapp.rules)
 * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (snort3-server-webapp.rules)
 * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (snort3-exploit-kit.rules)
 * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (snort3-indicator-obfuscation.rules)

Modified Rules:


 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (snort3-os-windows.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (snort3-server-webapp.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (snort3-indicator-compromise.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (snort3-indicator-compromise.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (snort3-os-windows.rules)

2019-09-26 12:01:41 UTC

Snort Subscriber Rules Update

Date: 2019-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules)
 * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules)
 * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules)
 * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules)
 * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules)
 * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules)
 * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules)
 * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules)
 * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules)
 * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules)
 * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules)
 * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules)
 * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules)
 * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules)

Modified Rules:


 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

2019-09-26 12:01:41 UTC

Snort Subscriber Rules Update

Date: 2019-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51634 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51636 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound connection (exploit-kit.rules)
 * 1:51640 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51630 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51648 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ActiveX same origin method execution attempt (file-flash.rules)
 * 1:51635 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ordinypt malicious executable download attempt (malware-cnc.rules)
 * 1:51637 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51644 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51653 <-> DISABLED <-> SERVER-WEBAPP Weblog Expert Web Server Enterprise denial of service attempt (server-webapp.rules)
 * 1:51632 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51638 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit executable download attempt (exploit-kit.rules)
 * 1:51639 <-> DISABLED <-> SERVER-OTHER AVEVA InduSoft Web Studio and InTouch Edge HMI buffer overflow attempt (server-other.rules)
 * 1:51633 <-> DISABLED <-> INDICATOR-OBFUSCATION JavaScript exploit obfuscation attempt (indicator-obfuscation.rules)
 * 1:51631 <-> DISABLED <-> POLICY-OTHER Easy Hosting Control Panel command execution attempt (policy-other.rules)
 * 1:51641 <-> DISABLED <-> SERVER-WEBAPP JavaScript library OpenPGP.js improper signature verification attempt (server-webapp.rules)
 * 1:51629 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:51643 <-> DISABLED <-> FILE-FLASH Adobe Flash Player use-after-free attempt (file-flash.rules)
 * 1:51642 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Gmera variant outbound connection (malware-cnc.rules)
 * 1:51647 <-> DISABLED <-> SERVER-OTHER Indusoft Web Studio and Intouch Machine Edition stack buffer overflow attempt (server-other.rules)
 * 3:51652 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0894 attack attempt (server-webapp.rules)
 * 3:51628 <-> ENABLED <-> POLICY-OTHER Cisco IOS Layer 2 Traceroute vlan enumeration detected (policy-other.rules)
 * 3:51646 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE FTP Application Layer Gateway denial of service attempt (server-other.rules)
 * 3:51645 <-> ENABLED <-> SERVER-OTHER Cisco IOx invalid TLS handshake type denial of service attempt (server-other.rules)
 * 3:51650 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0898 attack attempt (policy-other.rules)
 * 3:51626 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51649 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2019-0901 attack attempt (os-windows.rules)
 * 3:51651 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0896 attack attempt (policy-other.rules)
 * 3:51623 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51622 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51627 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS SIP denial of service attempt (protocol-voip.rules)
 * 3:51625 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)
 * 3:51624 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Software command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:23230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST client identifier overflow attempt (os-windows.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager reporting.aspx SQL injection attempt (server-webapp.rules)
 * 1:33216 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org (indicator-compromise.rules)
 * 1:33215 <-> DISABLED <-> INDICATOR-COMPROMISE DNS request for known malware domain icanhazip.com (indicator-compromise.rules)
 * 1:23231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NT DHCP REQUEST hostname overflow attempt (os-windows.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)