Snort - Network Intrusion Detection & Prevention System

Talos Rules 2018-05-03

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-multimedia, file-other, file-pdf, malware-cnc, os-windows, policy-other, protocol-imap, pua-adware, server-apache, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)

2990

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)

3000

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (snort3-server-webapp.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (snort3-malware-cnc.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (snort3-file-multimedia.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (snort3-file-multimedia.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (snort3-malware-cnc.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (snort3-browser-ie.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (snort3-browser-ie.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (snort3-malware-cnc.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (snort3-server-other.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (snort3-server-other.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (snort3-file-pdf.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (snort3-file-pdf.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (snort3-server-other.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (snort3-malware-cnc.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (snort3-os-windows.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (snort3-os-windows.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (snort3-server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (snort3-server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (snort3-server-webapp.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (snort3-server-webapp.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (snort3-malware-cnc.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (snort3-pua-adware.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (snort3-malware-cnc.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (snort3-browser-ie.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (snort3-server-webapp.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (snort3-server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (snort3-server-mail.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (snort3-browser-ie.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (snort3-browser-ie.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (snort3-server-mail.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (snort3-protocol-imap.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (snort3-server-other.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (snort3-server-mail.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (snort3-protocol-imap.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (snort3-server-mail.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (snort3-server-webapp.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (snort3-malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (snort3-malware-cnc.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (snort3-server-apache.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (snort3-policy-other.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (snort3-browser-ie.rules)

29110

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)

29111

2018-05-03 18:57:11 UTC

Snort Subscriber Rules Update

Date: 2018-05-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46486 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:46485 <-> DISABLED <-> SERVER-WEBAPP TwonkyMedia server directory listing attempt (server-webapp.rules)
 * 1:46484 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt (server-mail.rules)
 * 1:46483 <-> DISABLED <-> SERVER-WEBAPP Wordpress VideoWhisper Live Streaming Integration plugin double extension file upload attempt (server-webapp.rules)
 * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules)
 * 1:46481 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46480 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime movie file keys atom integer overflow attempt (file-multimedia.rules)
 * 1:46479 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt (malware-cnc.rules)
 * 1:46475 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request (malware-cnc.rules)
 * 1:46474 <-> ENABLED <-> SERVER-OTHER Quest Appliance NetVault Backup buffer overflow attempt (server-other.rules)
 * 1:46473 <-> ENABLED <-> SERVER-OTHER Spring Data Commons remote code execution attempt (server-other.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46488 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy download attempt (malware-cnc.rules)
 * 1:46487 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ammy heartbeat (malware-cnc.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:46491 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46490 <-> ENABLED <-> FILE-PDF Adobe Flash Player ActionScript setFocus use after free attempt (file-pdf.rules)
 * 1:46502 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46501 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound request (malware-cnc.rules)
 * 1:46505 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46504 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46503 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TTF cmap integer overflow attempt (os-windows.rules)
 * 1:46507 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46506 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46508 <-> DISABLED <-> BROWSER-IE Microsoft Edge eval heap overflow attempt (browser-ie.rules)
 * 1:46529 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46528 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46527 <-> DISABLED <-> SERVER-WEBAPP LibreEHR 2.0.0 directory traversal attempt (server-webapp.rules)
 * 1:46526 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46525 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46524 <-> DISABLED <-> SERVER-WEBAPP OpenEMR 5.0 directory traversal attempt (server-webapp.rules)
 * 1:46522 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46521 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46520 <-> DISABLED <-> SERVER-WEBAPP WebPort 1.16.2 directory traversal attempt (server-webapp.rules)
 * 1:46519 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46518 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt (server-webapp.rules)
 * 1:46517 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46516 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46515 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46514 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46513 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46512 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46511 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46510 <-> DISABLED <-> SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt (server-webapp.rules)
 * 1:46509 <-> DISABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API command injection attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure upload servlet directory traversal attempt (server-webapp.rules)
 * 3:46496 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46497 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46498 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46499 <-> ENABLED <-> FILE-OTHER Cisco WebEx Recording Player memory corruption attempt (file-other.rules)
 * 3:46500 <-> ENABLED <-> POLICY-OTHER Docker API ContainerCreate request detected (policy-other.rules)
 * 3:46523 <-> ENABLED <-> SERVER-OTHER malicious HTML file transfer attempt (server-other.rules)

Modified Rules:


 * 1:44531 <-> ENABLED <-> SERVER-APACHE Apache Tomcat remote JSP file upload attempt (server-apache.rules)
 * 1:45265 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:3072 <-> DISABLED <-> PROTOCOL-IMAP STATUS overflow attempt (protocol-imap.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:3066 <-> DISABLED <-> PROTOCOL-IMAP APPEND overflow attempt (protocol-imap.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46316 <-> ENABLED <-> SERVER-WEBAPP Drupal 8 remote code execution attempt (server-webapp.rules)
 * 1:44341 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:46435 <-> ENABLED <-> MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string  (malware-cnc.rules)
 * 1:17239 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt (server-mail.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:44340 <-> ENABLED <-> BROWSER-IE Microsoft Edge setSelectionRange memory corruption attempt (browser-ie.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:10011 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt (server-mail.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt (server-mail.rules)