Talos Rules 2018-04-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-office, malware-cnc, netbios, os-windows, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-04-24 17:57:15 UTC

Snort Subscriber Rules Update

Date: 2018-04-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules)
 * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules)
 * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules)
 * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules)
 * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules)
 * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules)
 * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules)
 * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)
 * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules)
 * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules)
 * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules)

2018-04-24 17:57:15 UTC

Snort Subscriber Rules Update

Date: 2018-04-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules)
 * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules)
 * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules)
 * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules)
 * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules)
 * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules)
 * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules)
 * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules)
 * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules)
 * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)
 * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)

Modified Rules:


 * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules)
 * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)

2018-04-24 17:57:15 UTC

Snort Subscriber Rules Update

Date: 2018-04-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (snort3-malware-cnc.rules)
 * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (snort3-malware-cnc.rules)
 * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (snort3-browser-other.rules)
 * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (snort3-browser-other.rules)
 * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (snort3-browser-ie.rules)
 * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (snort3-browser-ie.rules)
 * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (snort3-malware-cnc.rules)
 * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (snort3-server-other.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (snort3-server-other.rules)
 * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (snort3-server-webapp.rules)
 * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (snort3-server-webapp.rules)
 * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (snort3-server-webapp.rules)
 * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (snort3-netbios.rules)
 * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (snort3-malware-cnc.rules)
 * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (snort3-malware-cnc.rules)
 * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (snort3-os-windows.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (snort3-pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (snort3-pua-other.rules)
 * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (snort3-pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (snort3-pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (snort3-pua-other.rules)
 * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (snort3-pua-other.rules)
 * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (snort3-malware-cnc.rules)
 * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (snort3-server-other.rules)
 * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (snort3-server-other.rules)
 * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (snort3-os-windows.rules)
 * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (snort3-os-windows.rules)
 * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (snort3-malware-cnc.rules)
 * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (snort3-malware-cnc.rules)
 * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (snort3-malware-cnc.rules)
 * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules)
 * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules)
 * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules)
 * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (snort3-browser-ie.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (snort3-server-apache.rules)
 * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules)
 * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules)
 * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules)
 * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (snort3-os-windows.rules)
 * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (snort3-malware-cnc.rules)
 * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (snort3-malware-cnc.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (snort3-malware-cnc.rules)

Modified Rules:


 * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (snort3-file-office.rules)
 * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (snort3-server-other.rules)
 * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (snort3-file-office.rules)

2018-04-24 17:57:15 UTC

Snort Subscriber Rules Update

Date: 2018-04-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules)
 * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules)
 * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules)
 * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules)
 * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules)
 * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules)
 * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules)
 * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules)
 * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules)
 * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)

Modified Rules:


 * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules)
 * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)

2018-04-24 17:57:15 UTC

Snort Subscriber Rules Update

Date: 2018-04-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46418 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46417 <-> DISABLED <-> SERVER-OTHER X.509 IPAddressFamily extension buffer overread attempt (server-other.rules)
 * 1:46416 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Autoit outbound connection (malware-cnc.rules)
 * 1:46415 <-> ENABLED <-> PUA-OTHER obfuscated cryptomining javascript download attempt (pua-other.rules)
 * 1:46414 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46413 <-> ENABLED <-> PUA-OTHER Mineralt cryptocurrency mining attempt (pua-other.rules)
 * 1:46412 <-> DISABLED <-> PUA-OTHER Javascript obfuscated by obfuscator.io download attempt (pua-other.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:46410 <-> ENABLED <-> PUA-OTHER Mineralt TLS client hello attempt (pua-other.rules)
 * 1:46409 <-> DISABLED <-> OS-WINDOWS Attempted DNS overflow (os-windows.rules)
 * 1:46408 <-> DISABLED <-> SERVER-WEBAPP Moodle PoodLL Filter plugin cross site scripting attempt (server-webapp.rules)
 * 1:46407 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver payload download attempt (malware-cnc.rules)
 * 1:46406 <-> ENABLED <-> MALWARE-CNC Bitvote miner kernel driver outbound request attempt (malware-cnc.rules)
 * 1:46405 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46404 <-> DISABLED <-> BROWSER-PLUGINS RealPlayer rmoc3260.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46403 <-> DISABLED <-> NETBIOS SMB NTLM Authentication with unknown authentication message type attempt (netbios.rules)
 * 1:46402 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46401 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46400 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-343 Mail_Test command injection attempt (server-webapp.rules)
 * 1:46434 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo client outbound connection (malware-cnc.rules)
 * 1:46433 <-> ENABLED <-> MALWARE-CNC Win.Adware.Doyo initial connection (malware-cnc.rules)
 * 1:46432 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46431 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46430 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46429 <-> DISABLED <-> OS-WINDOWS Total Meltdown side-channel information leak attempt (os-windows.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:46427 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46426 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46425 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46424 <-> DISABLED <-> BROWSER-IE Microsoft Edge Javascript ParseCatch type confusion attempt (browser-ie.rules)
 * 1:46423 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens initial outbound request (malware-cnc.rules)
 * 1:46422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46421 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kraens delivery attempt (malware-cnc.rules)
 * 1:46420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XXE information disclosure attempt (os-windows.rules)
 * 1:46437 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46436 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)
 * 1:46440 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:46439 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt (malware-cnc.rules)
 * 1:46438 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Agent inbound connection (malware-cnc.rules)
 * 1:46441 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46444 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46443 <-> DISABLED <-> BROWSER-OTHER HTTP encoding header evasion attempt (browser-other.rules)
 * 1:46442 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJsInterpreter method use after free attempt (browser-ie.rules)
 * 1:46446 <-> ENABLED <-> SERVER-OTHER Oracle Weblogic unsafe deserialization remote code execution attempt detected (server-other.rules)
 * 1:46445 <-> ENABLED <-> SERVER-OTHER Oracle WebLogic unsafe deserialization remote code execution attempt detected (server-other.rules)

Modified Rules:


 * 1:24974 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:24975 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf invalid listoverridecount value attempt (file-office.rules)
 * 1:44890 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote privilege escalation attempt (server-other.rules)