Talos Rules 2019-10-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-webkit, file-identify, file-image, file-other, malware-cnc, malware-tools, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules)
 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules)
 * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)
 * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)

Modified Rules:


 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)
 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules)
 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules)
 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)
 * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules)
 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules)
 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)

Modified Rules:


 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules)
 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)
 * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules)
 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules)
 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)
 * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)

Modified Rules:


 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)
 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules)
 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (snort3-policy-other.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (snort3-server-webapp.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (snort3-server-mail.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (snort3-server-mail.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (snort3-server-mail.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (snort3-policy-other.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (snort3-policy-other.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (snort3-file-identify.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (snort3-file-identify.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (snort3-file-identify.rules)
 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (snort3-server-other.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (snort3-malware-cnc.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (snort3-browser-webkit.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (snort3-server-other.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (snort3-policy-other.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (snort3-server-webapp.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (snort3-server-webapp.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (snort3-malware-cnc.rules)
 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (snort3-file-other.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (snort3-server-webapp.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (snort3-file-other.rules)
 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (snort3-file-other.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (snort3-file-other.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (snort3-malware-tools.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (snort3-server-webapp.rules)
 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (snort3-server-webapp.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (snort3-browser-webkit.rules)

Modified Rules:


 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (snort3-server-other.rules)
 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (snort3-server-webapp.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (snort3-server-webapp.rules)
 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (snort3-server-other.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (snort3-server-webapp.rules)

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)
 * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)
 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)

2019-10-24 12:16:42 UTC

Snort Subscriber Rules Update

Date: 2019-10-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51973 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:52007 <-> DISABLED <-> POLICY-OTHER HTTP GET request from URL list attempt (policy-other.rules)
 * 1:51977 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51970 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:52006 <-> DISABLED <-> SERVER-OTHER Eclipse Mosquitto MQTT SUBSCRIBE request topic parsing buffer overflow attempt (server-other.rules)
 * 1:51978 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51987 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51999 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:51994 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:51993 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file attachment detected (file-identify.rules)
 * 1:52001 <-> DISABLED <-> SERVER-WEBAPP WordPress meta_input path traversal attempt (server-webapp.rules)
 * 1:51976 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51988 <-> DISABLED <-> POLICY-OTHER Invalid HTTP content type (policy-other.rules)
 * 1:51996 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51971 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:51972 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51983 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:51975 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:51979 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51980 <-> DISABLED <-> SERVER-WEBAPP FusionPBX service_edit.php command injection attempt (server-webapp.rules)
 * 1:51982 <-> DISABLED <-> SERVER-WEBAPP AlienVault USM and OSSIM FQDN command injection attempt (server-webapp.rules)
 * 1:52000 <-> DISABLED <-> FILE-OTHER LibreOffice office document arbitrary script execution attempt (file-other.rules)
 * 1:52019 <-> DISABLED <-> SERVER-MAIL MailEnable Mail Server IMAP client command buffer overflow attempt (server-mail.rules)
 * 1:51969 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51985 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51995 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51967 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51991 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51981 <-> ENABLED <-> SERVER-WEBAPP Microsoft Sharepoint DestinationFolder cross site scripting attempt (server-webapp.rules)
 * 1:51990 <-> DISABLED <-> POLICY-OTHER Zavio IP Camera 1.6.03 remote feed access attempt (policy-other.rules)
 * 1:51974 <-> DISABLED <-> SERVER-WEBAPP SolarWinds Storage Manager directory traversal attempt (server-webapp.rules)
 * 1:52005 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:51968 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Emotet variant download attempt (malware-tools.rules)
 * 1:51984 <-> DISABLED <-> SERVER-MAIL Mail.app AppleSingleDouble command execution attempt (server-mail.rules)
 * 1:51992 <-> ENABLED <-> FILE-IDENTIFY Windows Media Metafile file download request (file-identify.rules)
 * 1:52002 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:52004 <-> DISABLED <-> MALWARE-CNC Win.Trojan.OceanLotus variant download attempt (malware-cnc.rules)
 * 1:52003 <-> DISABLED <-> BROWSER-WEBKIT WebKit WebCore handleMenuItemSelected use after free attempt (browser-webkit.rules)
 * 1:51997 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 1:51986 <-> DISABLED <-> FILE-OTHER Viber for Desktop URI handler remote code execution attempt (file-other.rules)
 * 1:51989 <-> DISABLED <-> SERVER-OTHER Squid Proxy cache denial of service attempt (server-other.rules)
 * 1:51998 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA 8.3.2 command injection attempt (server-webapp.rules)
 * 3:52017 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52010 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52008 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52011 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0930 attack attempt (server-webapp.rules)
 * 3:52014 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52009 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0936 attack attempt (file-other.rules)
 * 3:52018 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52013 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0929 attack attempt (server-webapp.rules)
 * 3:52016 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52021 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)
 * 3:52012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0927 attack attempt (policy-other.rules)
 * 3:52015 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0931 attack attempt (server-webapp.rules)
 * 3:52020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0933 attack attempt (file-image.rules)

Modified Rules:


 * 1:2657 <-> DISABLED <-> SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt (server-webapp.rules)
 * 1:39850 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:39849 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server ccca_ajaxhandler.php command injection attempt (server-webapp.rules)
 * 1:10407 <-> DISABLED <-> SERVER-OTHER Helix Server LoadTestPassword buffer overflow attempt (server-other.rules)
 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access attempt (server-other.rules)