Talos Rules 2022-05-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-multimedia, file-other, file-pdf, malware-other, policy-other, protocol-imap, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)

Modified Rules:


 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)

Modified Rules:


 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)

Modified Rules:


 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)

Modified Rules:


 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)

Modified Rules:


 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)

Modified Rules:


 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)

Modified Rules:


 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)

Modified Rules:


 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:300166 <-> ENABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (snort3-protocol-scada.rules)
 * 1:300171 <-> ENABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (snort3-policy-other.rules)
 * 1:300173 <-> ENABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (snort3-server-other.rules)
 * 1:300163 <-> ENABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (snort3-protocol-imap.rules)
 * 1:300172 <-> ENABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (snort3-server-webapp.rules)
 * 1:300177 <-> ENABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (snort3-server-other.rules)
 * 1:300175 <-> ENABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (snort3-server-other.rules)
 * 1:300174 <-> ENABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (snort3-server-other.rules)
 * 1:300169 <-> ENABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (snort3-server-other.rules)
 * 1:300176 <-> ENABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (snort3-server-other.rules)

Modified Rules:


 * 1:59486 <-> ENABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (snort3-server-apache.rules)
 * 1:59548 <-> ENABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (snort3-file-image.rules)
 * 1:43677 <-> ENABLED <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:43676 <-> ENABLED <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:59549 <-> ENABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (snort3-file-image.rules)
 * 1:59615 <-> ENABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (snort3-server-other.rules)

2022-05-17 12:35:59 UTC

Snort Subscriber Rules Update

Date: 2022-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59787 <-> DISABLED <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt (protocol-scada.rules)
 * 1:59792 <-> DISABLED <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service (server-other.rules)
 * 1:59788 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59796 <-> DISABLED <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt (server-webapp.rules)
 * 1:59789 <-> DISABLED <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt (file-other.rules)
 * 1:59800 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59791 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59782 <-> DISABLED <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt (protocol-imap.rules)
 * 1:59795 <-> DISABLED <-> POLICY-OTHER IBM Data Risk Management administrative login attempt (policy-other.rules)
 * 1:59785 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59797 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59786 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt (file-multimedia.rules)
 * 1:59798 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59793 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59799 <-> DISABLED <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt (server-other.rules)
 * 1:59784 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)
 * 1:59801 <-> DISABLED <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt (server-other.rules)
 * 1:59790 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59794 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59783 <-> DISABLED <-> FILE-PDF Adobe Acrobat DC memory corruption attempt (file-pdf.rules)

Modified Rules:


 * 1:59548 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59615 <-> DISABLED <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt (server-other.rules)
 * 1:59183 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:59182 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt (malware-other.rules)
 * 1:59549 <-> DISABLED <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt (file-image.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)

2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:03 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:04 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:04 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt


2022-05-17 12:39:04 UTC

Snort Subscriber Rules Update

Date: 2022-05-16-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300163 <-> PROTOCOL-IMAP Dovecot Pigeonhole string parsing remote code execution attempt
* 1:300164 <-> FILE-PDF Adobe Acrobat DC memory corruption attempt
* 1:300165 <-> FILE-MULTIMEDIA Apple QuickTime ftab atom buffer overflow attempt
* 1:300166 <-> PROTOCOL-SCADA VIPA Automation WinPLC7 buffer overflow attempt
* 1:300167 <-> FILE-OTHER ABB Panel Builder BeModBus CommandLineOptions stack-based buffer overflow attempt
* 1:300168 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300169 <-> SERVER-OTHER ISC BIND lightweight resolver protocol denial of service
* 1:300170 <-> MALWARE-OTHER Win.Trojan.WhisperGate download attempt
* 1:300171 <-> POLICY-OTHER IBM Data Risk Management administrative login attempt
* 1:300172 <-> SERVER-WEBAPP Nostromo nhttpd http_header_comp buffer overflow attempt
* 1:300173 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300174 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300175 <-> SERVER-OTHER NetGain Enterprise Manager arbitrary RMI registry insecure deserialization attempt
* 1:300176 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 1:300177 <-> SERVER-OTHER Bind9 server response self-signed certificate denial of service attempt
* 3:59646 <-> SERVER-OTHER OpenSSL X509_cmp_time out of bounds read attempt

Modified Rules:

* 1:300076 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300077 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:300078 <-> SERVER-OTHER EMC Data Protection Advisor default credential attempt
* 1:43676 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:43677 <-> FILE-PDF FreeType PostScript Type1 font parsing memory corruption attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59548 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59549 <-> FILE-IMAGE ImageMagick GIF comment off-by-one buffer overflow attempt
* 1:59615 <-> SERVER-OTHER Kerberos cross-realm referrals KDC NULL pointer dereference attempt