Talos Rules 2017-11-09
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-identify, file-office, file-other, file-pdf, malware-cnc, malware-other, os-linux, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-11-09 19:01:29 UTC

Snort Subscriber Rules Update

Date: 2017-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44776 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44764 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple editusertag.php arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:44762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules)
 * 1:44763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules)
 * 1:44760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules)
 * 1:44761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules)
 * 1:44759 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44758 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44757 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:44753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stimilina variant outbound connection detected (malware-cnc.rules)
 * 1:44755 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence inbound download (malware-cnc.rules)
 * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence outbound request (malware-cnc.rules)
 * 1:44772 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules)
 * 1:44773 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules)
 * 1:44774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44782 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44783 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44784 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44785 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44786 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection attempt (malware-cnc.rules)
 * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules)
 * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules)
 * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup cnc communication attempt (malware-cnc.rules)
 * 1:44771 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence monitoring module download (malware-cnc.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44796 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules)
 * 1:44795 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules)
 * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44766 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules)
 * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence cnc module download (malware-cnc.rules)
 * 1:44767 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server cm_agent.php command injection attempt (server-webapp.rules)
 * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44765 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules)
 * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)

Modified Rules:


 * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:24648 <-> DISABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:25064 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules)
 * 1:29593 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera CSRF attempt (server-webapp.rules)
 * 1:25063 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:29595 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera directory traversal attempt (server-webapp.rules)
 * 1:29594 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera information leak attempt (server-webapp.rules)
 * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31205 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules)
 * 1:31204 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules)
 * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules)
 * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)
 * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules)
 * 1:44434 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server possible OPTIONS method memory leak attempt (server-apache.rules)
 * 1:44103 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44104 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:41853 <-> DISABLED <-> OS-LINUX cURL and libcurl set-cookie remote code execution attempt (os-linux.rules)
 * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules)
 * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 1:44098 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript launchURL command injection and remote code execution attempt (file-pdf.rules)

2017-11-09 19:01:29 UTC

Snort Subscriber Rules Update

Date: 2017-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence inbound download (malware-cnc.rules)
 * 1:44766 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules)
 * 1:44768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence outbound request (malware-cnc.rules)
 * 1:44767 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server cm_agent.php command injection attempt (server-webapp.rules)
 * 1:44772 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules)
 * 1:44773 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules)
 * 1:44774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44776 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stimilina variant outbound connection detected (malware-cnc.rules)
 * 1:44754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44755 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:44757 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44758 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44759 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules)
 * 1:44761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules)
 * 1:44762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules)
 * 1:44780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules)
 * 1:44764 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple editusertag.php arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:44781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44782 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44783 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44784 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44785 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44786 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection attempt (malware-cnc.rules)
 * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules)
 * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules)
 * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup cnc communication attempt (malware-cnc.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44795 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules)
 * 1:44796 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules)
 * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44771 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence monitoring module download (malware-cnc.rules)
 * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence cnc module download (malware-cnc.rules)
 * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44765 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules)
 * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)

Modified Rules:


 * 1:41853 <-> DISABLED <-> OS-LINUX cURL and libcurl set-cookie remote code execution attempt (os-linux.rules)
 * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules)
 * 1:24648 <-> DISABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:25064 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:25063 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:29593 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera CSRF attempt (server-webapp.rules)
 * 1:29595 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera directory traversal attempt (server-webapp.rules)
 * 1:31204 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules)
 * 1:31205 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules)
 * 1:29594 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera information leak attempt (server-webapp.rules)
 * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 1:44098 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript launchURL command injection and remote code execution attempt (file-pdf.rules)
 * 1:44103 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44104 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules)
 * 1:44434 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server possible OPTIONS method memory leak attempt (server-apache.rules)
 * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules)
 * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules)
 * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)

2017-11-09 19:01:29 UTC

Snort Subscriber Rules Update

Date: 2017-11-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44807 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44806 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44805 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44803 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44802 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44801 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44798 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44797 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound communication attempt (malware-cnc.rules)
 * 1:44796 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules)
 * 1:44795 <-> DISABLED <-> FILE-OFFICE Hewlett-Packard Autonomy KeyView library stack-based buffer overflow attempt (file-office.rules)
 * 1:44794 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44793 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JPEG2000 codestream memory corruption attempt (file-pdf.rules)
 * 1:44792 <-> DISABLED <-> SERVER-WEBAPP Node.js V8 Debugging Protocol command injection attempt (server-webapp.rules)
 * 1:44791 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Retadup cnc communication attempt (malware-cnc.rules)
 * 1:44790 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt (server-webapp.rules)
 * 1:44789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules)
 * 1:44788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nymaim variant outbound connection attempt (malware-cnc.rules)
 * 1:44787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla outbound connection attempt (malware-cnc.rules)
 * 1:44786 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44785 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44784 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44783 <-> ENABLED <-> FILE-IDENTIFY UltraPlayer USK file buffer overflow attempt (file-identify.rules)
 * 1:44782 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky outbound callout (malware-cnc.rules)
 * 1:44779 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44778 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44776 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44775 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44774 <-> ENABLED <-> MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected (malware-cnc.rules)
 * 1:44773 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules)
 * 1:44772 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.Datper (blacklist.rules)
 * 1:44771 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence monitoring module download (malware-cnc.rules)
 * 1:44770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence cnc module download (malware-cnc.rules)
 * 1:44769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence inbound download (malware-cnc.rules)
 * 1:44768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence outbound request (malware-cnc.rules)
 * 1:44767 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server cm_agent.php command injection attempt (server-webapp.rules)
 * 1:44766 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules)
 * 1:44765 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple addgroup.php cross site scripting attempt (server-webapp.rules)
 * 1:44764 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple editusertag.php arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:44763 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules)
 * 1:44762 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected (malware-cnc.rules)
 * 1:44761 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules)
 * 1:44760 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Reyptson ransomware download (malware-cnc.rules)
 * 1:44759 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44758 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44757 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:44756 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:44755 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44754 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44753 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Stimilina variant outbound connection detected (malware-cnc.rules)

Modified Rules:


 * 1:23757 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows CHM file magic detected (file-identify.rules)
 * 1:24648 <-> DISABLED <-> MALWARE-OTHER HTML.Exploit.C99 suspicious file download (malware-other.rules)
 * 1:25063 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:25064 <-> DISABLED <-> SERVER-WEBAPP PHP htmlspecialchars htmlentities function buffer overflow attempt (server-webapp.rules)
 * 1:29593 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera CSRF attempt (server-webapp.rules)
 * 1:29594 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera information leak attempt (server-webapp.rules)
 * 1:29595 <-> DISABLED <-> SERVER-WEBAPP Airlive IP Camera directory traversal attempt (server-webapp.rules)
 * 1:31204 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules)
 * 1:31205 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free attempt (browser-ie.rules)
 * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:32671 <-> DISABLED <-> FILE-OTHER LibYAML yaml_parser_scan_uri_escapes heap buffer overflow attempt (file-other.rules)
 * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules)
 * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil variant outbound connection (malware-cnc.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:41853 <-> DISABLED <-> OS-LINUX cURL and libcurl set-cookie remote code execution attempt (os-linux.rules)
 * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 1:44098 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript launchURL command injection and remote code execution attempt (file-pdf.rules)
 * 1:44103 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44104 <-> DISABLED <-> FILE-PDF Multiple products PDF JavaScript saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44221 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection (malware-cnc.rules)
 * 1:44434 <-> DISABLED <-> SERVER-APACHE Apache HTTP Server possible OPTIONS method memory leak attempt (server-apache.rules)
 * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules)
 * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)