Talos Rules 2021-04-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, indicator-obfuscation, indicator-shellcode, malware-cnc, netbios, protocol-dns, protocol-voip, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)

Modified Rules:


 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)

Modified Rules:


 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)

Modified Rules:


 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)

Modified Rules:


 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)

Modified Rules:


 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (snort3-protocol-dns.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (snort3-server-webapp.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (snort3-indicator-obfuscation.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (snort3-indicator-shellcode.rules)

Modified Rules:


 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (snort3-malware-cnc.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (snort3-exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (snort3-exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (snort3-malware-cnc.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (snort3-exploit-kit.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (snort3-exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (snort3-exploit-kit.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (snort3-exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (snort3-exploit-kit.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (snort3-server-oracle.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (snort3-exploit-kit.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (snort3-malware-cnc.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (snort3-exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (snort3-exploit-kit.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (snort3-exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (snort3-exploit-kit.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (snort3-exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (snort3-exploit-kit.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (snort3-exploit-kit.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (snort3-protocol-voip.rules)
 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (snort3-exploit-kit.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (snort3-exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (snort3-exploit-kit.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (snort3-exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (snort3-exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (snort3-exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (snort3-exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (snort3-exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (snort3-exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (snort3-exploit-kit.rules)

2021-04-01 12:51:41 UTC

Snort Subscriber Rules Update

Date: 2021-04-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57384 <-> DISABLED <-> SERVER-WEBAPP WordPress Plugin WP-Paginate 2.1.3 cross site scripting attempt (server-webapp.rules)
 * 1:57385 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation using meaningless bitshift (indicator-obfuscation.rules)
 * 1:57388 <-> DISABLED <-> INDICATOR-SHELLCODE Microsoft Edge Chakra common type confusion placeholder value detected (indicator-shellcode.rules)
 * 1:57383 <-> DISABLED <-> PROTOCOL-DNS dnsmasq sort_rrset buffer overflow attempt (protocol-dns.rules)
 * 1:57387 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:57386 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:30937 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound PDF request (exploit-kit.rules)
 * 1:53744 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Coherence library remote code execution attempt (server-oracle.rules)
 * 1:29187 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound pdf request (exploit-kit.rules)
 * 1:33184 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit Adobe Flash download (exploit-kit.rules)
 * 1:31276 <-> ENABLED <-> EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection (exploit-kit.rules)
 * 1:29163 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:32876 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request (exploit-kit.rules)
 * 1:32386 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound structure (exploit-kit.rules)
 * 1:31970 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:29189 <-> ENABLED <-> EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request (exploit-kit.rules)
 * 1:30936 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure (exploit-kit.rules)
 * 1:30319 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request (exploit-kit.rules)
 * 1:42331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (malware-cnc.rules)
 * 1:30220 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound payload request (exploit-kit.rules)
 * 1:29166 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:30973 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload request (exploit-kit.rules)
 * 1:31965 <-> ENABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:31700 <-> ENABLED <-> EXPLOIT-KIT Hanjuan exploit kit landing page detection (exploit-kit.rules)
 * 1:12006 <-> DISABLED <-> PROTOCOL-VOIP Outbound INVITE message (protocol-voip.rules)
 * 1:24407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:26534 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit portable executable download (exploit-kit.rules)
 * 1:28969 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string (exploit-kit.rules)
 * 1:28596 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit payload request (exploit-kit.rules)
 * 1:28967 <-> ENABLED <-> EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection (exploit-kit.rules)
 * 1:32640 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection (exploit-kit.rules)
 * 1:56800 <-> DISABLED <-> SERVER-WEBAPP Liferay arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:31369 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request (exploit-kit.rules)
 * 1:24406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection (malware-cnc.rules)
 * 1:33182 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request (exploit-kit.rules)
 * 1:29167 <-> ENABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29131 <-> ENABLED <-> EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt (exploit-kit.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)