Talos Rules 2017-08-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-image, file-multimedia, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-windows, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-08-15 14:41:10 UTC

Snort Subscriber Rules Update

Date: 2017-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules)
 * 1:43931 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit shellcode detected (exploit-kit.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit FlashVars parameter shellcode (exploit-kit.rules)
 * 1:43929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poogetad Variant connection attempt (malware-cnc.rules)
 * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection attempt (malware-cnc.rules)
 * 1:43927 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:43926 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43920 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43969 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kradod connection attempt (malware-cnc.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43919 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:43971 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules)
 * 1:43970 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules)
 * 1:43976 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules)
 * 1:43975 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43933 <-> DISABLED <-> INDICATOR-COMPROMISE VBScript accessing scripting API for WMI (indicator-compromise.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules)
 * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:43943 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules)
 * 1:43944 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Globeimposter outbound connection (malware-cnc.rules)
 * 1:43951 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules)
 * 1:43952 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules)
 * 1:43953 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules)
 * 1:43954 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules)
 * 1:43955 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:43956 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:43957 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (server-webapp.rules)
 * 1:43959 <-> DISABLED <-> SERVER-OTHER Sybase Open Server function pointer array code execution attempt (server-other.rules)
 * 1:43960 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules)
 * 1:43958 <-> DISABLED <-> SERVER-WEBAPP SoapUI WSDL types element remote code execution attempt (server-webapp.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules)
 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)

Modified Rules:


 * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt (os-windows.rules)
 * 1:7114 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:7113 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection (malware-backdoor.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:26160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:26161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:26158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:20742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules)
 * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules)
 * 1:26157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:18286 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules)
 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules)
 * 1:16734 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules)
 * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)

2017-08-15 14:41:10 UTC

Snort Subscriber Rules Update

Date: 2017-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43960 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules)
 * 1:43915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43919 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43920 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43926 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules)
 * 1:43927 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:43929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poogetad Variant connection attempt (malware-cnc.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit FlashVars parameter shellcode (exploit-kit.rules)
 * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection attempt (malware-cnc.rules)
 * 1:43933 <-> DISABLED <-> INDICATOR-COMPROMISE VBScript accessing scripting API for WMI (indicator-compromise.rules)
 * 1:43931 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit shellcode detected (exploit-kit.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules)
 * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:43943 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules)
 * 1:43944 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Globeimposter outbound connection (malware-cnc.rules)
 * 1:43951 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules)
 * 1:43952 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules)
 * 1:43953 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules)
 * 1:43954 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules)
 * 1:43955 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:43956 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:43957 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (server-webapp.rules)
 * 1:43958 <-> DISABLED <-> SERVER-WEBAPP SoapUI WSDL types element remote code execution attempt (server-webapp.rules)
 * 1:43959 <-> DISABLED <-> SERVER-OTHER Sybase Open Server function pointer array code execution attempt (server-other.rules)
 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43976 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules)
 * 1:43975 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:43971 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules)
 * 1:43970 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules)
 * 1:43969 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kradod connection attempt (malware-cnc.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules)
 * 1:43965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)

Modified Rules:


 * 1:7114 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules)
 * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt (os-windows.rules)
 * 1:7113 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection (malware-backdoor.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:26160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:26161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:26157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:26158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:20742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules)
 * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules)
 * 1:16734 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules)
 * 1:18286 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules)
 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules)
 * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)

2017-08-15 14:41:10 UTC

Snort Subscriber Rules Update

Date: 2017-08-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43980 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43979 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43978 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43977 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43976 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules)
 * 1:43975 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt (malware-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:43971 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules)
 * 1:43970 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIER16 out of bounds access attempt (file-multimedia.rules)
 * 1:43969 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kradod connection attempt (malware-cnc.rules)
 * 1:43968 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43967 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_POLYBEZIERTO16 out of bounds access attempt (file-multimedia.rules)
 * 1:43966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules)
 * 1:43965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Explorer .doc file denial of service attempt (os-windows.rules)
 * 1:43964 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43963 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file kerning data memory corruption attempt (file-other.rules)
 * 1:43962 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43961 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Forms Data Format embedded javascript attempt (file-pdf.rules)
 * 1:43960 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules)
 * 1:43959 <-> DISABLED <-> SERVER-OTHER Sybase Open Server function pointer array code execution attempt (server-other.rules)
 * 1:43958 <-> DISABLED <-> SERVER-WEBAPP SoapUI WSDL types element remote code execution attempt (server-webapp.rules)
 * 1:43957 <-> DISABLED <-> SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt (server-webapp.rules)
 * 1:43956 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:43955 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine integer overflow attempt (browser-chrome.rules)
 * 1:43954 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules)
 * 1:43953 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules)
 * 1:43952 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed AMR buffer overflow attempt (file-other.rules)
 * 1:43951 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules)
 * 1:43950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Globeimposter outbound connection (malware-cnc.rules)
 * 1:43949 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43948 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA engine heap memory corruption attempt (file-pdf.rules)
 * 1:43947 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43946 <-> DISABLED <-> FILE-OTHER Guitar Pro malformed GPX buffer overflow attempt (file-other.rules)
 * 1:43945 <-> DISABLED <-> FILE-OTHER Magic Music Editor malformed CDA buffer overflow attempt (file-other.rules)
 * 1:43944 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules)
 * 1:43943 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules)
 * 1:43942 <-> DISABLED <-> FILE-OTHER Abbs Media Player LST buffer overflow attempt (file-other.rules)
 * 1:43941 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43940 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed EMR_COMMENT record out of bounds access attempt (file-multimedia.rules)
 * 1:43939 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station synotheme_upload.php session forgery attempt (server-webapp.rules)
 * 1:43938 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43937 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43936 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station file_upload.php directory traversal attempt (server-webapp.rules)
 * 1:43935 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php directory traversal attempt (server-webapp.rules)
 * 1:43934 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station PixlrEditorHandler.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:43933 <-> DISABLED <-> INDICATOR-COMPROMISE VBScript accessing scripting API for WMI (indicator-compromise.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit FlashVars parameter shellcode (exploit-kit.rules)
 * 1:43931 <-> ENABLED <-> EXPLOIT-KIT RIG exploit kit shellcode detected (exploit-kit.rules)
 * 1:43930 <-> ENABLED <-> MALWARE-CNC Win.Malware.GamKer variant outbound connection attempt (malware-cnc.rules)
 * 1:43929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poogetad Variant connection attempt (malware-cnc.rules)
 * 1:43928 <-> DISABLED <-> PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt (protocol-other.rules)
 * 1:43927 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules)
 * 1:43926 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA javascript use after free exploitation attempt (file-pdf.rules)
 * 1:43925 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43924 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader duplicate U3D header memory corruption attempt (file-pdf.rules)
 * 1:43923 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43922 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43921 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43920 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43919 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43918 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader exportDataObject security bypass attempt (file-pdf.rules)
 * 1:43917 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43916 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF sub-block memory corruption attempt (file-other.rules)
 * 1:43915 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules)
 * 1:43914 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode type confusion exploitation attempt (file-pdf.rules)
 * 1:43913 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43912 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43911 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43910 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43909 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43908 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Reader JPEG 2000 tile memory corruption attempt (file-image.rules)
 * 1:43907 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43906 <-> ENABLED <-> FILE-PDF Adobe Reader XFA loadXML use after free attempt (file-pdf.rules)
 * 1:43905 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43904 <-> ENABLED <-> FILE-PDF Adobe Reader execMenuItem buffer overflow attempt (file-pdf.rules)
 * 1:43903 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43902 <-> DISABLED <-> FILE-IMAGE Adobe Reader EMF EMR_STROKEPATH memory corruption attempt (file-image.rules)
 * 1:43901 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)
 * 1:43900 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Professional XPS2PDF memory corruption attempt (file-other.rules)

Modified Rules:


 * 1:7113 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection (malware-backdoor.rules)
 * 1:7114 <-> DISABLED <-> MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection (malware-backdoor.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:5718 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count attempt (os-windows.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:26161 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:26158 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:26160 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules)
 * 1:26157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 9 onbeforeprint use after free attempt (browser-ie.rules)
 * 1:18286 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products element style change memory corruption code execution attempt (browser-firefox.rules)
 * 1:20742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla PLUGINSPAGE javascript execution attempt (browser-firefox.rules)
 * 1:10214 <-> DISABLED <-> BROWSER-PLUGINS Shockwave ActiveX Control clsid access (browser-plugins.rules)
 * 1:16734 <-> DISABLED <-> FILE-OTHER multiple products malformed CUE file buffer overflow attempt (file-other.rules)
 * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)