Talos Rules 2020-01-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-identify, file-image, indicator-compromise, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-01-03 13:19:09 UTC

Snort Subscriber Rules Update

Date: 2020-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52524 <-> DISABLED <-> PROTOCOL-DNS dnsmasq crafted OPT record denial of service attempt (protocol-dns.rules)
 * 1:52523 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52522 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52521 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52520 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52519 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52518 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52517 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52516 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52515 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52514 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 3:52528 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52531 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52536 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52535 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52525 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52526 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52527 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52533 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52529 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52547 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SanWS importTS arbitrary file upload attempt (server-webapp.rules)
 * 3:52546 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager LanFabricImpl createLanFabric command injection attempt (server-webapp.rules)
 * 3:52545 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52534 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52544 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52543 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52542 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager displayServerInfos information disclosure attempt (server-webapp.rules)
 * 3:52541 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52540 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52539 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52538 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52530 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52537 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52532 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:24464 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:24463 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:17732 <-> ENABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)

2020-01-03 13:19:09 UTC

Snort Subscriber Rules Update

Date: 2020-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52518 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52517 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52520 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52519 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52522 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52524 <-> DISABLED <-> PROTOCOL-DNS dnsmasq crafted OPT record denial of service attempt (protocol-dns.rules)
 * 1:52523 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52514 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52516 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52515 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52521 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 3:52526 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52528 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52525 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52535 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52532 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52546 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager LanFabricImpl createLanFabric command injection attempt (server-webapp.rules)
 * 3:52537 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52527 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52531 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52530 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52538 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52539 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52540 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52541 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52542 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager displayServerInfos information disclosure attempt (server-webapp.rules)
 * 3:52543 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52529 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52547 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SanWS importTS arbitrary file upload attempt (server-webapp.rules)
 * 3:52545 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52533 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52536 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52534 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52544 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:24463 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:17732 <-> ENABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)
 * 1:24464 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)

2020-01-03 13:19:09 UTC

Snort Subscriber Rules Update

Date: 2020-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52517 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52520 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52524 <-> DISABLED <-> PROTOCOL-DNS dnsmasq crafted OPT record denial of service attempt (protocol-dns.rules)
 * 1:52522 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52523 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52516 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52518 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52515 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52521 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52514 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52519 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 3:52535 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52525 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52528 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52545 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52537 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52529 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52547 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SanWS importTS arbitrary file upload attempt (server-webapp.rules)
 * 3:52546 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager LanFabricImpl createLanFabric command injection attempt (server-webapp.rules)
 * 3:52527 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52531 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52532 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52530 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52539 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52540 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52536 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52533 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52534 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52541 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52542 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager displayServerInfos information disclosure attempt (server-webapp.rules)
 * 3:52544 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52543 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52538 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52526 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)

Modified Rules:


 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:24463 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:17732 <-> ENABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)
 * 1:24464 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)

2020-01-03 13:19:09 UTC

Snort Subscriber Rules Update

Date: 2020-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52514 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52518 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52522 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52517 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52519 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52524 <-> DISABLED <-> PROTOCOL-DNS dnsmasq crafted OPT record denial of service attempt (protocol-dns.rules)
 * 1:52523 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52515 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52521 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52516 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52520 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 3:52545 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52546 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager LanFabricImpl createLanFabric command injection attempt (server-webapp.rules)
 * 3:52530 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52535 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52538 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52533 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52529 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52531 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52528 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52536 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52534 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52525 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52537 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52532 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52544 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52539 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52526 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52527 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52540 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52541 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52542 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager displayServerInfos information disclosure attempt (server-webapp.rules)
 * 3:52543 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52547 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SanWS importTS arbitrary file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:24464 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:17732 <-> ENABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)
 * 1:24463 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)

2020-01-03 13:19:09 UTC

Snort Subscriber Rules Update

Date: 2020-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52518 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52517 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52520 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52524 <-> DISABLED <-> PROTOCOL-DNS dnsmasq crafted OPT record denial of service attempt (protocol-dns.rules)
 * 1:52515 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52521 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52523 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52514 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52522 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52516 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52519 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 3:52530 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52535 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52528 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52538 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52537 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52532 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52529 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52546 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager LanFabricImpl createLanFabric command injection attempt (server-webapp.rules)
 * 3:52544 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52533 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52536 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52534 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52531 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52525 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52527 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52545 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52526 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52547 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SanWS importTS arbitrary file upload attempt (server-webapp.rules)
 * 3:52539 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52540 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52541 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52542 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager displayServerInfos information disclosure attempt (server-webapp.rules)
 * 3:52543 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:24463 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:24464 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:17732 <-> ENABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)

2020-01-03 13:19:09 UTC

Snort Subscriber Rules Update

Date: 2020-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52520 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (snort3-browser-ie.rules)
 * 1:52523 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (snort3-browser-ie.rules)
 * 1:52519 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (snort3-malware-tools.rules)
 * 1:52515 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (snort3-server-webapp.rules)
 * 1:52517 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (snort3-indicator-compromise.rules)
 * 1:52521 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (snort3-browser-ie.rules)
 * 1:52514 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (snort3-server-webapp.rules)
 * 1:52522 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (snort3-browser-ie.rules)
 * 1:52524 <-> DISABLED <-> PROTOCOL-DNS dnsmasq crafted OPT record denial of service attempt (snort3-protocol-dns.rules)
 * 1:52516 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (snort3-indicator-compromise.rules)
 * 1:52518 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (snort3-malware-tools.rules)

Modified Rules:


 * 1:24464 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (snort3-file-identify.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (snort3-file-image.rules)
 * 1:17732 <-> ENABLED <-> FILE-IDENTIFY TIFF file download request (snort3-file-identify.rules)
 * 1:24463 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (snort3-file-identify.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (snort3-file-image.rules)

2020-01-03 13:19:09 UTC

Snort Subscriber Rules Update

Date: 2020-01-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52519 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52514 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52521 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52515 <-> DISABLED <-> SERVER-WEBAPP Chimera Web Portal System cross site scripting attempt (server-webapp.rules)
 * 1:52518 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.ReverseTcpPowershell download attempt (malware-tools.rules)
 * 1:52522 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52520 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52524 <-> DISABLED <-> PROTOCOL-DNS dnsmasq crafted OPT record denial of service attempt (protocol-dns.rules)
 * 1:52523 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra ProcessLinkFailedAsmJsModule type confusion attempt (browser-ie.rules)
 * 1:52517 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 1:52516 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Trojan.ReverseTcpPowershell connection attempt (indicator-compromise.rules)
 * 3:52534 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52535 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52528 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52526 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52541 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52537 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52531 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52533 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52546 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager LanFabricImpl createLanFabric command injection attempt (server-webapp.rules)
 * 3:52527 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52529 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52539 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52530 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52545 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52538 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52540 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52536 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52544 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)
 * 3:52532 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager directory traversal attempt (server-webapp.rules)
 * 3:52547 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SanWS importTS arbitrary file upload attempt (server-webapp.rules)
 * 3:52525 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager XML external entity injection attempt (server-webapp.rules)
 * 3:52542 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager displayServerInfos information disclosure attempt (server-webapp.rules)
 * 3:52543 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:24463 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:17732 <-> ENABLED <-> FILE-IDENTIFY TIFF file download request (file-identify.rules)
 * 1:24464 <-> ENABLED <-> FILE-IDENTIFY TIFF file attachment detected (file-identify.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)