Talos Rules 2020-01-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-01-16 18:22:40 UTC

Snort Subscriber Rules Update

Date: 2020-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules)
 * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules)
 * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules)
 * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
 * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)

Modified Rules:


 * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules)
 * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules)
 * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules)
 * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules)
 * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules)
 * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules)
 * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules)
 * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules)
 * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules)
 * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules)
 * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules)
 * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules)
 * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules)
 * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules)
 * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules)
 * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules)
 * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules)
 * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules)
 * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules)
 * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules)
 * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules)
 * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules)
 * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules)
 * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules)
 * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules)
 * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules)
 * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules)
 * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows  CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft  Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)

2020-01-16 18:22:40 UTC

Snort Subscriber Rules Update

Date: 2020-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules)
 * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules)
 * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules)
 * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
 * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)

Modified Rules:


 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules)
 * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules)
 * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules)
 * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules)
 * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules)
 * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules)
 * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules)
 * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules)
 * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows  CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft  Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules)
 * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules)
 * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules)
 * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules)
 * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules)
 * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules)
 * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules)
 * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules)
 * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules)
 * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules)
 * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules)
 * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules)
 * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules)
 * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules)
 * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules)
 * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules)
 * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules)
 * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules)
 * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules)
 * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules)
 * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)

2020-01-16 18:22:40 UTC

Snort Subscriber Rules Update

Date: 2020-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules)
 * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules)
 * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules)
 * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
 * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)

Modified Rules:


 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules)
 * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows  CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft  Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules)
 * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules)
 * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules)
 * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules)
 * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules)
 * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules)
 * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules)
 * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules)
 * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules)
 * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules)
 * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules)
 * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules)
 * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules)
 * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules)
 * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules)
 * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules)
 * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules)
 * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules)
 * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules)
 * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules)
 * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules)
 * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules)
 * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules)
 * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules)
 * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)

2020-01-16 18:22:40 UTC

Snort Subscriber Rules Update

Date: 2020-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules)
 * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules)
 * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules)
 * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
 * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)

Modified Rules:


 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft  Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules)
 * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows  CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules)
 * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules)
 * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules)
 * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules)
 * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules)
 * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules)
 * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules)
 * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules)
 * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules)
 * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules)
 * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules)
 * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules)
 * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules)
 * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules)
 * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules)
 * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules)
 * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules)
 * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules)
 * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules)
 * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules)
 * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules)
 * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)

2020-01-16 18:22:40 UTC

Snort Subscriber Rules Update

Date: 2020-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules)
 * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules)
 * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules)
 * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
 * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)

Modified Rules:


 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft  Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules)
 * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules)
 * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules)
 * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules)
 * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows  CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules)
 * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules)
 * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules)
 * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules)
 * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules)
 * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules)
 * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules)
 * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules)
 * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules)
 * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules)
 * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules)
 * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules)
 * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules)
 * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)

2020-01-16 18:22:40 UTC

Snort Subscriber Rules Update

Date: 2020-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (snort3-malware-other.rules)
 * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (snort3-malware-other.rules)
 * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (snort3-server-webapp.rules)
 * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (snort3-server-webapp.rules)
 * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft  Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (snort3-server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (snort3-server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (snort3-server-webapp.rules)
 * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (snort3-server-webapp.rules)
 * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (snort3-server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (snort3-server-webapp.rules)
 * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (snort3-server-webapp.rules)
 * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows  CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (snort3-server-webapp.rules)
 * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (snort3-server-webapp.rules)
 * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (snort3-server-webapp.rules)
 * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (snort3-server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (snort3-server-webapp.rules)
 * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (snort3-server-webapp.rules)
 * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (snort3-server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (snort3-server-webapp.rules)
 * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (snort3-server-webapp.rules)
 * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (snort3-server-webapp.rules)
 * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (snort3-server-webapp.rules)
 * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (snort3-server-webapp.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (snort3-server-webapp.rules)
 * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (snort3-server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (snort3-server-webapp.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (snort3-server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (snort3-server-webapp.rules)
 * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (snort3-server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (snort3-server-webapp.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (snort3-server-webapp.rules)
 * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (snort3-server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (snort3-server-webapp.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (snort3-server-webapp.rules)
 * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (snort3-server-webapp.rules)
 * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (snort3-server-webapp.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (snort3-server-webapp.rules)
 * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (snort3-server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (snort3-server-webapp.rules)
 * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (snort3-server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (snort3-server-webapp.rules)
 * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (snort3-server-webapp.rules)
 * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (snort3-server-webapp.rules)
 * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (snort3-server-webapp.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (snort3-server-webapp.rules)
 * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (snort3-server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (snort3-server-webapp.rules)
 * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (snort3-server-webapp.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (snort3-server-webapp.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (snort3-server-webapp.rules)
 * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (snort3-server-webapp.rules)
 * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (snort3-server-webapp.rules)
 * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (snort3-server-webapp.rules)
 * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (snort3-server-webapp.rules)
 * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (snort3-server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (snort3-server-webapp.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (snort3-browser-ie.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (snort3-server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (snort3-server-webapp.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (snort3-browser-ie.rules)
 * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (snort3-server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (snort3-server-webapp.rules)
 * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (snort3-server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (snort3-server-webapp.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (snort3-server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (snort3-server-webapp.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (snort3-server-webapp.rules)
 * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (snort3-server-webapp.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (snort3-server-webapp.rules)

2020-01-16 18:22:40 UTC

Snort Subscriber Rules Update

Date: 2020-01-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52615 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant outbound connection detected (malware-other.rules)
 * 1:52614 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Remcos variant outbound connection detected (malware-cnc.rules)
 * 1:52618 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52612 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52616 <-> ENABLED <-> MALWARE-OTHER Win.Downloader.Whiteshadow variant second stage download detected (malware-other.rules)
 * 1:52611 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.AgentTesla variant outbound connection detected (malware-cnc.rules)
 * 1:52606 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52610 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52607 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52617 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 3:52608 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)
 * 3:52609 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0974 attack attempt (file-other.rules)

Modified Rules:


 * 1:52594 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:48815 <-> DISABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48826 <-> ENABLED <-> SERVER-WEBAPP Delta Industrial Automation Robot DRAStudio directory traversal attempt (server-webapp.rules)
 * 1:48726 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48725 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52596 <-> ENABLED <-> OS-WINDOWS Microsoft Windows  CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:52593 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:6511 <-> DISABLED <-> SERVER-WEBAPP ALT-N WebAdmin user param overflow attempt (server-webapp.rules)
 * 1:51424 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:16056 <-> DISABLED <-> SERVER-WEBAPP Symantec Scan Engine authentication bypass attempt (server-webapp.rules)
 * 1:48727 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52595 <-> ENABLED <-> OS-WINDOWS Microsoft  Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:51686 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Accutech Manager HTTP URI buffer overflow attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:48730 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:48728 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:1232 <-> DISABLED <-> SERVER-WEBAPP VirusWall catinfo access (server-webapp.rules)
 * 1:1499 <-> DISABLED <-> SERVER-WEBAPP SiteScope Service access (server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:14990 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory SOAP Accept Charset header overflow attempt (server-webapp.rules)
 * 1:1518 <-> DISABLED <-> SERVER-WEBAPP nstelemetry.adp access (server-webapp.rules)
 * 1:15446 <-> DISABLED <-> SERVER-WEBAPP Novell eDirectory management console Accept-Language buffer overflow attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:1604 <-> DISABLED <-> SERVER-WEBAPP iChat directory traversal attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:51423 <-> DISABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:1859 <-> DISABLED <-> SERVER-WEBAPP Oracle JavaServer default password login attempt (server-webapp.rules)
 * 1:18960 <-> DISABLED <-> SERVER-WEBAPP Novell GroupWise agents HTTP request remote code execution attempt (server-webapp.rules)
 * 1:1946 <-> DISABLED <-> SERVER-WEBAPP answerbook2 admin attempt (server-webapp.rules)
 * 1:1861 <-> DISABLED <-> SERVER-WEBAPP Linksys router default username and password login attempt (server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:48729 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:17432 <-> DISABLED <-> SERVER-WEBAPP Squid Gopher protocol handling buffer overflow attempt (server-webapp.rules)
 * 1:48731 <-> DISABLED <-> SERVER-WEBAPP SmarterStats remote code execution attempt (server-webapp.rules)
 * 1:25318 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:20134 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector buffer overflow attempt (server-webapp.rules)
 * 1:44302 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem firmware upload attempt (server-webapp.rules)
 * 1:19813 <-> DISABLED <-> SERVER-WEBAPP Novell File Reporter Agent stack buffer overflow attempt (server-webapp.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:28289 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R root remote code execution attempt (server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:2562 <-> DISABLED <-> SERVER-WEBAPP McAfee ePO file upload attempt (server-webapp.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:41707 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux http response splitting attempt (server-webapp.rules)
 * 1:25319 <-> DISABLED <-> SERVER-WEBAPP InduSoft Web Studio arbitrary file upload attempt (server-webapp.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:3544 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 directory traversal attempt (server-webapp.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:21334 <-> DISABLED <-> SERVER-WEBAPP Openswan/Strongswan Pluto IKE daemon ISAKMP DPD malformed packet DOS attempt (server-webapp.rules)
 * 1:3547 <-> DISABLED <-> SERVER-WEBAPP TrackerCam overly long php parameter overflow attempt (server-webapp.rules)
 * 1:3548 <-> DISABLED <-> SERVER-WEBAPP TrackerCam negative Content-Length attempt (server-webapp.rules)
 * 1:3546 <-> DISABLED <-> SERVER-WEBAPP TrackerCam User-Agent buffer overflow attempt (server-webapp.rules)
 * 1:20530 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:20740 <-> DISABLED <-> SERVER-WEBAPP Dell OpenManage server application field buffer overflow attempt (server-webapp.rules)
 * 1:20531 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Storage Data Protector directory traversal attempt (server-webapp.rules)
 * 1:1947 <-> DISABLED <-> SERVER-WEBAPP answerbook2 arbitrary command execution attempt (server-webapp.rules)
 * 1:44301 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:43326 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:44298 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem command injection attempt (server-webapp.rules)
 * 1:43334 <-> DISABLED <-> SERVER-WEBAPP OpenFiler NetworkCard command execution attempt (server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:43324 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:46100 <-> DISABLED <-> SERVER-WEBAPP Laerdal SimMan-3G arbitrary file upload attempt (server-webapp.rules)
 * 1:46623 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Graphics Server buffer overflow attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:43325 <-> DISABLED <-> SERVER-WEBAPP Trihedral VTScada directory traversal attempt (server-webapp.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:28290 <-> ENABLED <-> SERVER-WEBAPP Tenda W302R iwpriv remote code execution attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:42842 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:3545 <-> DISABLED <-> SERVER-WEBAPP TrackerCam ComGetLogFile.php3 log information disclosure (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:45241 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:13591 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan CGI password decryption buffer overflow attempt (server-webapp.rules)
 * 1:1199 <-> DISABLED <-> SERVER-WEBAPP Compaq Insight directory traversal (server-webapp.rules)
 * 1:44299 <-> DISABLED <-> SERVER-WEBAPP AT&T U-verse modem information disclosure attempt (server-webapp.rules)
 * 1:2442 <-> DISABLED <-> SERVER-WEBAPP generic server user-agent buffer overflow attempt (server-webapp.rules)
 * 1:21233 <-> DISABLED <-> SERVER-WEBAPP Symantec Antivirus admin scan interface negative Content-Length attempt (server-webapp.rules)
 * 1:18460 <-> DISABLED <-> SERVER-WEBAPP Symantec Alert Management System pin number buffer overflow attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:43545 <-> DISABLED <-> SERVER-WEBAPP HPE System Management Homepage buffer overflow attempt (server-webapp.rules)
 * 1:45242 <-> DISABLED <-> SERVER-WEBAPP Multiple IP cameras format string exploitation attempt (server-webapp.rules)
 * 1:1558 <-> DISABLED <-> SERVER-WEBAPP Delegate whois overflow attempt (server-webapp.rules)