Talos Rules 2020-02-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-pdf, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-02-20 12:51:23 UTC

Snort Subscriber Rules Update

Date: 2020-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53163 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRAT download attempt (malware-other.rules)
 * 1:53162 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53161 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53160 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53159 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53158 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53157 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53156 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53155 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53154 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT inbound command (malware-cnc.rules)
 * 1:53152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT outbound connection (malware-cnc.rules)
 * 1:53151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53150 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53149 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53148 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53188 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53187 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53186 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53185 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53184 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53183 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53182 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53181 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53180 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53179 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53178 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53177 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53167 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53166 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53165 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53164 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRat download attempt (malware-other.rules)
 * 1:53191 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53190 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53189 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53194 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53193 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53192 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53195 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53198 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53197 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53196 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53201 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53200 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53199 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53202 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 3:53168 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Contact Center Express arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53169 <-> ENABLED <-> POLICY-OTHER PostgreSQL default credential login detected (policy-other.rules)
 * 3:53170 <-> ENABLED <-> SERVER-OTHER Cisco Email Security Appliance mail log parsing denial of service attempt (server-other.rules)
 * 3:53171 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager password change detected (policy-other.rules)
 * 3:53172 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager user add detected (policy-other.rules)
 * 3:53173 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager server properties update detected (policy-other.rules)
 * 3:53174 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager saveDefaultCredentials detected (policy-other.rules)
 * 3:53175 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53176 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)

Modified Rules:



2020-02-20 12:51:23 UTC

Snort Subscriber Rules Update

Date: 2020-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53193 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT outbound connection (malware-cnc.rules)
 * 1:53153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT inbound command (malware-cnc.rules)
 * 1:53165 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53155 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53156 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53148 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53150 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53157 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53159 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53160 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53161 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53162 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53154 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53163 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRAT download attempt (malware-other.rules)
 * 1:53164 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRat download attempt (malware-other.rules)
 * 1:53166 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53167 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53177 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53178 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53179 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53180 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53158 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53181 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53182 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53183 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53184 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53185 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53186 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53187 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53188 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53189 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53190 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53191 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53202 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53201 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53200 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53199 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53198 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53197 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53195 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53194 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53196 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53149 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53192 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 3:53173 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager server properties update detected (policy-other.rules)
 * 3:53170 <-> ENABLED <-> SERVER-OTHER Cisco Email Security Appliance mail log parsing denial of service attempt (server-other.rules)
 * 3:53171 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager password change detected (policy-other.rules)
 * 3:53174 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager saveDefaultCredentials detected (policy-other.rules)
 * 3:53175 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53176 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53168 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Contact Center Express arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53172 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager user add detected (policy-other.rules)
 * 3:53169 <-> ENABLED <-> POLICY-OTHER PostgreSQL default credential login detected (policy-other.rules)

Modified Rules:



2020-02-20 12:51:23 UTC

Snort Subscriber Rules Update

Date: 2020-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53149 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53193 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53197 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53195 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53194 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53196 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT outbound connection (malware-cnc.rules)
 * 1:53155 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT inbound command (malware-cnc.rules)
 * 1:53165 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53202 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53201 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53200 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53199 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53198 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53150 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53157 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53158 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53163 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRAT download attempt (malware-other.rules)
 * 1:53166 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53167 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53177 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53178 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53179 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53180 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53181 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53182 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53183 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53184 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53185 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53186 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53187 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53188 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53189 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53190 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53191 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53192 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53154 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53161 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53162 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53159 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53160 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53148 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53164 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRat download attempt (malware-other.rules)
 * 1:53156 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 3:53170 <-> ENABLED <-> SERVER-OTHER Cisco Email Security Appliance mail log parsing denial of service attempt (server-other.rules)
 * 3:53168 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Contact Center Express arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53169 <-> ENABLED <-> POLICY-OTHER PostgreSQL default credential login detected (policy-other.rules)
 * 3:53176 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53173 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager server properties update detected (policy-other.rules)
 * 3:53174 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager saveDefaultCredentials detected (policy-other.rules)
 * 3:53175 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53171 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager password change detected (policy-other.rules)
 * 3:53172 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager user add detected (policy-other.rules)

Modified Rules:



2020-02-20 12:51:23 UTC

Snort Subscriber Rules Update

Date: 2020-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53193 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53194 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT outbound connection (malware-cnc.rules)
 * 1:53165 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT inbound command (malware-cnc.rules)
 * 1:53155 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53148 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53150 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53157 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53161 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53195 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53197 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53198 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53201 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53202 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53200 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53149 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53159 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53160 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53156 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53163 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRAT download attempt (malware-other.rules)
 * 1:53164 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRat download attempt (malware-other.rules)
 * 1:53166 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53167 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53177 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53178 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53179 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53180 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53181 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53182 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53183 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53154 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53162 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53192 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53184 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53185 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53186 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53187 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53188 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53189 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53199 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53158 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53190 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53191 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53196 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 3:53176 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53173 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager server properties update detected (policy-other.rules)
 * 3:53171 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager password change detected (policy-other.rules)
 * 3:53174 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager saveDefaultCredentials detected (policy-other.rules)
 * 3:53172 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager user add detected (policy-other.rules)
 * 3:53175 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53170 <-> ENABLED <-> SERVER-OTHER Cisco Email Security Appliance mail log parsing denial of service attempt (server-other.rules)
 * 3:53168 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Contact Center Express arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53169 <-> ENABLED <-> POLICY-OTHER PostgreSQL default credential login detected (policy-other.rules)

Modified Rules:



2020-02-20 12:51:23 UTC

Snort Subscriber Rules Update

Date: 2020-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53193 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53194 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53196 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT outbound connection (malware-cnc.rules)
 * 1:53153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT inbound command (malware-cnc.rules)
 * 1:53149 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53148 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53159 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53162 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53150 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53157 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53198 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53160 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53195 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53202 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53200 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53161 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53163 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRAT download attempt (malware-other.rules)
 * 1:53165 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53164 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRat download attempt (malware-other.rules)
 * 1:53166 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53167 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53177 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53178 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53192 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53179 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53154 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53180 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53199 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53181 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53156 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53182 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53201 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53197 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53183 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53184 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53185 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53186 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53187 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53188 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53189 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53190 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53191 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53155 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53158 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 3:53171 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager password change detected (policy-other.rules)
 * 3:53175 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53176 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53173 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager server properties update detected (policy-other.rules)
 * 3:53170 <-> ENABLED <-> SERVER-OTHER Cisco Email Security Appliance mail log parsing denial of service attempt (server-other.rules)
 * 3:53168 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Contact Center Express arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:53169 <-> ENABLED <-> POLICY-OTHER PostgreSQL default credential login detected (policy-other.rules)
 * 3:53174 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager saveDefaultCredentials detected (policy-other.rules)
 * 3:53172 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager user add detected (policy-other.rules)

Modified Rules:



2020-02-20 12:51:23 UTC

Snort Subscriber Rules Update

Date: 2020-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (snort3-browser-ie.rules)
 * 1:53184 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53197 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (snort3-malware-other.rules)
 * 1:53161 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (snort3-malware-other.rules)
 * 1:53182 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53198 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (snort3-malware-other.rules)
 * 1:53153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT inbound command (snort3-malware-cnc.rules)
 * 1:53201 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (snort3-browser-plugins.rules)
 * 1:53200 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (snort3-browser-plugins.rules)
 * 1:53194 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53192 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53185 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53199 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (snort3-browser-plugins.rules)
 * 1:53202 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (snort3-browser-plugins.rules)
 * 1:53183 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53186 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53157 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (snort3-malware-other.rules)
 * 1:53181 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53156 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (snort3-malware-other.rules)
 * 1:53154 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (snort3-malware-cnc.rules)
 * 1:53195 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT outbound connection (snort3-malware-cnc.rules)
 * 1:53150 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (snort3-browser-ie.rules)
 * 1:53149 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (snort3-file-pdf.rules)
 * 1:53166 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (snort3-malware-other.rules)
 * 1:53162 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (snort3-malware-other.rules)
 * 1:53159 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (snort3-malware-other.rules)
 * 1:53167 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (snort3-malware-other.rules)
 * 1:53164 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRat download attempt (snort3-malware-other.rules)
 * 1:53165 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (snort3-malware-other.rules)
 * 1:53148 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (snort3-file-pdf.rules)
 * 1:53163 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRAT download attempt (snort3-malware-other.rules)
 * 1:53155 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (snort3-malware-cnc.rules)
 * 1:53177 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53178 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53179 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53160 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (snort3-malware-other.rules)
 * 1:53158 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (snort3-malware-other.rules)
 * 1:53187 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53188 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53189 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53190 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53191 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53180 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53193 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)
 * 1:53196 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (snort3-malware-other.rules)

Modified Rules:



2020-02-20 12:51:23 UTC

Snort Subscriber Rules Update

Date: 2020-02-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53192 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53200 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53166 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53193 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53201 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53194 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53189 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53152 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT outbound connection (malware-cnc.rules)
 * 1:53150 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53202 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53188 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53155 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 1:53160 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53153 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRAT inbound command (malware-cnc.rules)
 * 1:53165 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53191 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53156 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53195 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53198 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53196 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53177 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53167 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53161 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53163 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRAT download attempt (malware-other.rules)
 * 1:53180 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53199 <-> DISABLED <-> BROWSER-PLUGINS HP Sprinter Tidestone Formula One DefaultFontName buffer overflow attempt (browser-plugins.rules)
 * 1:53179 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53164 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.ObliqueRat download attempt (malware-other.rules)
 * 1:53157 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.CrimsonRAT download attempt (malware-other.rules)
 * 1:53190 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53178 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53186 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53159 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onscroll use after free attempt (browser-ie.rules)
 * 1:53158 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.CrimsonRAT download attempt (malware-other.rules)
 * 1:53197 <-> DISABLED <-> MALWARE-OTHER Win.Keylogger.WindowsKeylogger variant download attempt (malware-other.rules)
 * 1:53162 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.ObliqueRAT download attempt (malware-other.rules)
 * 1:53148 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53149 <-> DISABLED <-> FILE-PDF Adobe Acrobat CTextWidget memory corruption attempt (file-pdf.rules)
 * 1:53181 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53182 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53183 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53184 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53185 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53187 <-> DISABLED <-> MALWARE-OTHER Doc.Trojan.Valyria variant download attempt (malware-other.rules)
 * 1:53154 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ObliqueRAT outbound connection (malware-cnc.rules)
 * 3:53176 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53175 <-> ENABLED <-> SERVER-WEBAPP Cisco Data Center Network Manager cross site request forgery attempt (server-webapp.rules)
 * 3:53174 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager saveDefaultCredentials detected (policy-other.rules)
 * 3:53169 <-> ENABLED <-> POLICY-OTHER PostgreSQL default credential login detected (policy-other.rules)
 * 3:53173 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager server properties update detected (policy-other.rules)
 * 3:53172 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager user add detected (policy-other.rules)
 * 3:53170 <-> ENABLED <-> SERVER-OTHER Cisco Email Security Appliance mail log parsing denial of service attempt (server-other.rules)
 * 3:53171 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager password change detected (policy-other.rules)
 * 3:53168 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Contact Center Express arbitrary JSP file upload attempt (server-webapp.rules)

Modified Rules: