Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules) * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules) * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules) * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules) * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)
* 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules) * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules) * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules) * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules) * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules) * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules) * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)
* 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules) * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules) * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules) * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (snort3-file-other.rules) * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (snort3-file-other.rules) * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (snort3-file-other.rules) * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (snort3-file-image.rules) * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (snort3-file-image.rules) * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules) * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (snort3-file-pdf.rules) * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (snort3-file-pdf.rules) * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (snort3-file-pdf.rules) * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules) * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules) * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules) * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (snort3-file-pdf.rules) * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (snort3-file-image.rules) * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (snort3-file-pdf.rules) * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (snort3-file-pdf.rules) * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (snort3-file-pdf.rules) * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (snort3-file-other.rules) * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules) * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (snort3-file-other.rules) * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (snort3-file-pdf.rules) * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (snort3-file-pdf.rules) * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (snort3-indicator-compromise.rules) * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (snort3-indicator-compromise.rules) * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (snort3-malware-cnc.rules) * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (snort3-file-other.rules) * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (snort3-file-other.rules) * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (snort3-file-other.rules) * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (snort3-file-other.rules) * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (snort3-file-pdf.rules) * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (snort3-file-pdf.rules) * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (snort3-file-other.rules) * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (snort3-file-other.rules) * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (snort3-file-pdf.rules) * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (snort3-file-pdf.rules) * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (snort3-file-other.rules) * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (snort3-file-other.rules) * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (snort3-file-pdf.rules) * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (snort3-file-pdf.rules) * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (snort3-file-other.rules) * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (snort3-file-other.rules) * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (snort3-exploit-kit.rules) * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (snort3-indicator-compromise.rules) * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (snort3-indicator-compromise.rules) * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (snort3-server-webapp.rules) * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (snort3-server-webapp.rules) * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (snort3-file-image.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules) * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (snort3-indicator-compromise.rules) * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (snort3-file-pdf.rules) * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (snort3-file-pdf.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (snort3-server-mail.rules) * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (snort3-file-pdf.rules) * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (snort3-file-pdf.rules) * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (snort3-file-image.rules) * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (snort3-file-image.rules) * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (snort3-file-other.rules) * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (snort3-file-other.rules) * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (snort3-file-image.rules) * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (snort3-file-image.rules) * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (snort3-file-other.rules) * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (snort3-file-other.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules) * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (snort3-file-other.rules) * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (snort3-file-other.rules) * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (snort3-malware-cnc.rules) * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (snort3-file-image.rules) * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (snort3-file-image.rules) * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (snort3-file-other.rules) * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (snort3-file-other.rules) * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (snort3-file-pdf.rules) * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (snort3-file-pdf.rules) * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (snort3-file-other.rules) * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (snort3-file-other.rules) * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (snort3-file-other.rules) * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (snort3-file-other.rules) * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (snort3-file-other.rules) * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (snort3-file-pdf.rules) * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (snort3-file-pdf.rules) * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (snort3-file-other.rules)
* 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (snort3-malware-cnc.rules) * 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (snort3-malware-cnc.rules) * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (snort3-exploit-kit.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (snort3-file-other.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (snort3-file-other.rules) * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (snort3-file-pdf.rules) * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (snort3-file-pdf.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (snort3-malware-cnc.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (snort3-server-webapp.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (snort3-server-mail.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules) * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules) * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules) * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules) * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)
* 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules) * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:46644 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46638 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46641 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46640 <-> DISABLED <-> INDICATOR-COMPROMISE Win.Worm.Brontok outbound HTTP request attempt (indicator-compromise.rules) * 1:46639 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader DC OCG setIntent memory corruption attempt (file-pdf.rules) * 1:46643 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF compression out of bounds write attempt (file-other.rules) * 1:46642 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 1:46666 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46665 <-> DISABLED <-> SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt (server-webapp.rules) * 1:46664 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound freegeoip.net geo-IP location connection attempt (indicator-compromise.rules) * 1:46663 <-> DISABLED <-> INDICATOR-COMPROMISE Outbound telize.com geo-IP location connection attempt (indicator-compromise.rules) * 1:46662 <-> ENABLED <-> EXPLOIT-KIT FakeFlash update attempt (exploit-kit.rules) * 1:46660 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46659 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Reader jp2 double free attempt (file-other.rules) * 1:46658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46657 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript Engine annotations use after free attempt (file-pdf.rules) * 1:46656 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46655 <-> DISABLED <-> FILE-OTHER Adobe Acrobat XPS2PDF conversion buffer over-read attempt (file-other.rules) * 1:46654 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46653 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript data structure use after free attempt (file-pdf.rules) * 1:46652 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46651 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro PDX malformed index out of bounds memory read attempt (file-other.rules) * 1:46650 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46649 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA form use after free attempt (file-pdf.rules) * 1:46648 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46647 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EmfPlusDrawBeziers buffer over-read attempt (file-other.rules) * 1:46646 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46645 <-> DISABLED <-> FILE-PDF Adobe Reader XFA node manipulation use-after-free attempt (file-pdf.rules) * 1:46683 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46682 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46681 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46680 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader security bypass attempt (file-pdf.rules) * 1:46679 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules) * 1:46678 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46675 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules) * 1:46674 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46673 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46672 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46671 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46670 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46669 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46668 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46667 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMR_STRETCHDIBITS heap overflow attempt (file-image.rules) * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules) * 1:46702 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46701 <-> DISABLED <-> FILE-IMAGE Adobe Acrboat EMF invalid EMR_STRETCHDIBITS record out-of-bounds read attempt (file-image.rules) * 1:46700 <-> ENABLED <-> MALWARE-CNC Osx.Downloader.Crossrider outbound download request (malware-cnc.rules) * 1:46699 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46698 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded DIB out of bound read attempt (file-other.rules) * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules) * 1:46695 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46694 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF embedded GIF memory corruption attempt (file-other.rules) * 1:46693 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46692 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat EmfPlusDrawCurve out of bounds read attempt (file-image.rules) * 1:46691 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46690 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro path rendertransform out of bound write attempt (file-other.rules) * 1:46689 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46688 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS out-of-bounds read attempt (file-image.rules) * 1:46687 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46686 <-> DISABLED <-> FILE-PDF Adobe Acrobat XFA field type confusion overflow attempt (file-pdf.rules) * 1:46685 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46684 <-> DISABLED <-> SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt (server-mail.rules) * 1:46720 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46719 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46718 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46717 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object heap overflow attempt (file-image.rules) * 1:46716 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46715 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader use after free attempt (file-pdf.rules) * 1:46714 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46713 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules) * 1:46712 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46711 <-> DISABLED <-> FILE-OTHER Adobe Professional BMP embedded image heap overflow attempt (file-other.rules) * 1:46710 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:46709 <-> ENABLED <-> FILE-OTHER Adobe Professional EMF embedded image heap overflow attempt (file-other.rules) * 1:46708 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 1:46707 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF malformed EmfPlusPointF object buffer overflow attempt (file-other.rules) * 1:46706 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46705 <-> DISABLED <-> FILE-PDF Adobe Acrobat ADBCAnnotEnumerator use after free attempt (file-pdf.rules) * 1:46721 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46723 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46722 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript annotation use after free attempt (file-pdf.rules) * 1:46728 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46727 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF embedded GIF LZW compression out of bound read attempt (file-other.rules) * 1:46726 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46725 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG out of bounds read attempt (file-image.rules) * 1:46724 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pointer dereference attempt (file-pdf.rules) * 1:46732 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 1:46731 <-> ENABLED <-> FILE-PDF Adobe Reader malformed JPEG2000 image invalid colr size out of bounds read attempt (file-pdf.rules) * 1:46730 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46729 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional XPS out of bounds read attempt (file-other.rules) * 1:46733 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 1:46734 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds read attempt (file-other.rules) * 3:46661 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0594 attack attempt (policy-other.rules)
* 1:20021 <-> ENABLED <-> MALWARE-CNC Win.Worm.Brontok user-agent outbound connection (malware-cnc.rules) * 1:16693 <-> ENABLED <-> MALWARE-CNC Torpig bot sinkhole server DNS lookup (malware-cnc.rules) * 1:44121 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:44122 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Professional EMF JPEG APP13 malformed record memory corruption attempt (file-other.rules) * 1:45040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:45041 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader Annotation use after free attempt (file-pdf.rules) * 1:46482 <-> DISABLED <-> MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration (malware-cnc.rules) * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules) * 1:46610 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules) * 1:25042 <-> DISABLED <-> EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit (exploit-kit.rules) * 3:44166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0428 attack attempt (server-webapp.rules) * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
©2024 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
