Talos Rules 2020-04-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, file-identify, file-multimedia, file-pdf, malware-other, protocol-tftp, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2020-04-07 12:34:17 UTC

Snort Subscriber Rules Update

Date: 2020-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53581 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53579 <-> DISABLED <-> PROTOCOL-VOIP Asterisk Manager Interface Originate action arbitrary command execution attempt (protocol-voip.rules)
 * 1:53570 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53569 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53568 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53567 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53566 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53561 <-> DISABLED <-> SERVER-WEBAPP Wordpress GDPR Cookie Consent plugin cross-site scripting attempt (server-webapp.rules)
 * 1:53560 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53559 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53558 <-> ENABLED <-> SERVER-WEBAPP Codesys V3 WebVisu remote heap overflow attempt (server-webapp.rules)
 * 1:53557 <-> DISABLED <-> SERVER-OTHER Codesys V3 Gateway denial of service attempt (server-other.rules)
 * 1:53556 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53555 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 3:53577 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53578 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53562 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1030 attack attempt (server-other.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53575 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53576 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53573 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53574 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53571 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53572 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53565 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2020-1029 attack attempt (protocol-tftp.rules)

Modified Rules:


 * 1:53505 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail data import PHP code injection attempt (server-webapp.rules)

2020-04-07 12:34:17 UTC

Snort Subscriber Rules Update

Date: 2020-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53558 <-> ENABLED <-> SERVER-WEBAPP Codesys V3 WebVisu remote heap overflow attempt (server-webapp.rules)
 * 1:53581 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53567 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53568 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53569 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53555 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53557 <-> DISABLED <-> SERVER-OTHER Codesys V3 Gateway denial of service attempt (server-other.rules)
 * 1:53556 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53560 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53561 <-> DISABLED <-> SERVER-WEBAPP Wordpress GDPR Cookie Consent plugin cross-site scripting attempt (server-webapp.rules)
 * 1:53566 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53559 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53579 <-> DISABLED <-> PROTOCOL-VOIP Asterisk Manager Interface Originate action arbitrary command execution attempt (protocol-voip.rules)
 * 1:53570 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 3:53577 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53578 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53572 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53571 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53565 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2020-1029 attack attempt (protocol-tftp.rules)
 * 3:53562 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1030 attack attempt (server-other.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53575 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53576 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53573 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53574 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:53505 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail data import PHP code injection attempt (server-webapp.rules)

2020-04-07 12:34:17 UTC

Snort Subscriber Rules Update

Date: 2020-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53560 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53569 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53581 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53566 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53567 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53556 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53555 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53570 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53558 <-> ENABLED <-> SERVER-WEBAPP Codesys V3 WebVisu remote heap overflow attempt (server-webapp.rules)
 * 1:53557 <-> DISABLED <-> SERVER-OTHER Codesys V3 Gateway denial of service attempt (server-other.rules)
 * 1:53568 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53579 <-> DISABLED <-> PROTOCOL-VOIP Asterisk Manager Interface Originate action arbitrary command execution attempt (protocol-voip.rules)
 * 1:53559 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53561 <-> DISABLED <-> SERVER-WEBAPP Wordpress GDPR Cookie Consent plugin cross-site scripting attempt (server-webapp.rules)
 * 3:53578 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53577 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53571 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53575 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53576 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53574 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53572 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53573 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53565 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2020-1029 attack attempt (protocol-tftp.rules)
 * 3:53562 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1030 attack attempt (server-other.rules)

Modified Rules:


 * 1:53505 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail data import PHP code injection attempt (server-webapp.rules)

2020-04-07 12:34:17 UTC

Snort Subscriber Rules Update

Date: 2020-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53558 <-> ENABLED <-> SERVER-WEBAPP Codesys V3 WebVisu remote heap overflow attempt (server-webapp.rules)
 * 1:53581 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53568 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53579 <-> DISABLED <-> PROTOCOL-VOIP Asterisk Manager Interface Originate action arbitrary command execution attempt (protocol-voip.rules)
 * 1:53559 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53560 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53561 <-> DISABLED <-> SERVER-WEBAPP Wordpress GDPR Cookie Consent plugin cross-site scripting attempt (server-webapp.rules)
 * 1:53566 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53556 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53569 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53567 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53570 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53555 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53557 <-> DISABLED <-> SERVER-OTHER Codesys V3 Gateway denial of service attempt (server-other.rules)
 * 3:53577 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53578 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53562 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1030 attack attempt (server-other.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53565 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2020-1029 attack attempt (protocol-tftp.rules)
 * 3:53576 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53571 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53572 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53573 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53574 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53575 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:53505 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail data import PHP code injection attempt (server-webapp.rules)

2020-04-07 12:34:17 UTC

Snort Subscriber Rules Update

Date: 2020-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53569 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53579 <-> DISABLED <-> PROTOCOL-VOIP Asterisk Manager Interface Originate action arbitrary command execution attempt (protocol-voip.rules)
 * 1:53570 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53568 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53558 <-> ENABLED <-> SERVER-WEBAPP Codesys V3 WebVisu remote heap overflow attempt (server-webapp.rules)
 * 1:53567 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53581 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53559 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53560 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53555 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53557 <-> DISABLED <-> SERVER-OTHER Codesys V3 Gateway denial of service attempt (server-other.rules)
 * 1:53561 <-> DISABLED <-> SERVER-WEBAPP Wordpress GDPR Cookie Consent plugin cross-site scripting attempt (server-webapp.rules)
 * 1:53566 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53556 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 3:53578 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53575 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53577 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53572 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53574 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53571 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53576 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53565 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2020-1029 attack attempt (protocol-tftp.rules)
 * 3:53562 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1030 attack attempt (server-other.rules)
 * 3:53573 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:53505 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail data import PHP code injection attempt (server-webapp.rules)

2020-04-07 12:34:17 UTC

Snort Subscriber Rules Update

Date: 2020-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53557 <-> DISABLED <-> SERVER-OTHER Codesys V3 Gateway denial of service attempt (snort3-server-other.rules)
 * 1:53570 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (snort3-file-identify.rules)
 * 1:53556 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (snort3-malware-other.rules)
 * 1:53566 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (snort3-server-webapp.rules)
 * 1:53580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (snort3-browser-firefox.rules)
 * 1:53581 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (snort3-browser-firefox.rules)
 * 1:53561 <-> DISABLED <-> SERVER-WEBAPP Wordpress GDPR Cookie Consent plugin cross-site scripting attempt (snort3-server-webapp.rules)
 * 1:53567 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (snort3-server-webapp.rules)
 * 1:53560 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (snort3-malware-other.rules)
 * 1:53569 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (snort3-file-identify.rules)
 * 1:53555 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (snort3-malware-other.rules)
 * 1:53568 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (snort3-server-webapp.rules)
 * 1:53559 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (snort3-malware-other.rules)
 * 1:53558 <-> ENABLED <-> SERVER-WEBAPP Codesys V3 WebVisu remote heap overflow attempt (snort3-server-webapp.rules)
 * 1:53579 <-> DISABLED <-> PROTOCOL-VOIP Asterisk Manager Interface Originate action arbitrary command execution attempt (snort3-protocol-voip.rules)

Modified Rules:


 * 1:53505 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail data import PHP code injection attempt (snort3-server-webapp.rules)

2020-04-07 12:34:17 UTC

Snort Subscriber Rules Update

Date: 2020-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53570 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53580 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53579 <-> DISABLED <-> PROTOCOL-VOIP Asterisk Manager Interface Originate action arbitrary command execution attempt (protocol-voip.rules)
 * 1:53560 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 1:53569 <-> ENABLED <-> FILE-IDENTIFY BIMx file magic detected (file-identify.rules)
 * 1:53566 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53581 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox potential use after free attempt (browser-firefox.rules)
 * 1:53561 <-> DISABLED <-> SERVER-WEBAPP Wordpress GDPR Cookie Consent plugin cross-site scripting attempt (server-webapp.rules)
 * 1:53568 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53555 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53556 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Zbot-7647437-0 download attempt (malware-other.rules)
 * 1:53557 <-> DISABLED <-> SERVER-OTHER Codesys V3 Gateway denial of service attempt (server-other.rules)
 * 1:53558 <-> ENABLED <-> SERVER-WEBAPP Codesys V3 WebVisu remote heap overflow attempt (server-webapp.rules)
 * 1:53567 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin ThemeREX PHP code injection attempt (server-webapp.rules)
 * 1:53559 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generickdz-7648973-0 download attempt (malware-other.rules)
 * 3:53577 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53578 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53562 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1030 attack attempt (server-other.rules)
 * 3:53563 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53564 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2020-1031 attack attempt (file-pdf.rules)
 * 3:53565 <-> ENABLED <-> PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2020-1029 attack attempt (protocol-tftp.rules)
 * 3:53571 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53576 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53572 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53573 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53574 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)
 * 3:53575 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1032 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:53505 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail data import PHP code injection attempt (server-webapp.rules)