Talos Rules 2018-06-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-image, file-multimedia, file-office, file-other, indicator-compromise, malware-cnc, policy-other, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)

Modified Rules:


 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)

Modified Rules:


 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (snort3-file-image.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (snort3-server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (snort3-server-webapp.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (snort3-file-image.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (snort3-indicator-compromise.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (snort3-server-webapp.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (snort3-indicator-compromise.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (snort3-server-webapp.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (snort3-server-other.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (snort3-malware-cnc.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (snort3-file-other.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (snort3-browser-ie.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (snort3-browser-ie.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (snort3-browser-ie.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (snort3-server-webapp.rules)
 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (snort3-file-office.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (snort3-browser-ie.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (snort3-exploit-kit.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (snort3-file-other.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (snort3-server-webapp.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (snort3-server-webapp.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (snort3-file-office.rules)

Modified Rules:


 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (snort3-malware-cnc.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (snort3-server-webapp.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (snort3-sql.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (snort3-browser-ie.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (snort3-browser-ie.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (snort3-browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (snort3-malware-cnc.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (snort3-browser-ie.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)

2018-06-28 14:10:45 UTC

Snort Subscriber Rules Update

Date: 2018-06-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47043 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA user enumeration attempt (indicator-compromise.rules)
 * 1:47042 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47041 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance download_agent_installer.php command injection attempt (server-webapp.rules)
 * 1:47038 <-> DISABLED <-> SERVER-WEBAPP TheWebForum cross site scripting attempt (server-webapp.rules)
 * 1:47034 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:47033 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47032 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt (file-multimedia.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:47061 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:47060 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47059 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-image.rules)
 * 1:47058 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47057 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:47056 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47055 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:47054 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47053 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:47052 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess arbitrary file deletion attempt (server-other.rules)
 * 1:47051 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47050 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47049 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:47048 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47047 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:47046 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47045 <-> DISABLED <-> SERVER-WEBAPP phpMyAdmin preg_replace null byte injection attempt (server-webapp.rules)
 * 1:47044 <-> DISABLED <-> INDICATOR-COMPROMISE Atvise SCADA privilege escalation attempt (indicator-compromise.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47037 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0619 attack attempt (server-webapp.rules)
 * 3:47039 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47040 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0618 attack attempt (server-webapp.rules)
 * 3:47062 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0620 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:24438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:40366 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:24437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mirage variant outbound connection (malware-cnc.rules)
 * 1:40367 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet directory traversal attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)