Talos Rules 2018-06-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-other, browser-plugins, deleted, file-flash, file-multimedia, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-06-07 15:56:50 UTC

Snort Subscriber Rules Update

Date: 2018-06-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46903 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 1:46898 <-> DISABLED <-> SERVER-WEBAPP Atlassian OAuth plugin multiple versions server side request forgery attempt (server-webapp.rules)
 * 1:46896 <-> DISABLED <-> SERVER-WEBAPP Joomla component GeoContent typename parameter cross site scripting attempt (server-webapp.rules)
 * 1:46895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocturnal outbound connection (malware-cnc.rules)
 * 1:46894 <-> ENABLED <-> MALWARE-CNC Vbs.Worm.SysinfY2X outbound beacon (malware-cnc.rules)
 * 1:46886 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance ajax_email_connection_test.php command injection attempt (server-webapp.rules)
 * 1:46885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Joanap variant outbound connection (malware-cnc.rules)
 * 1:46884 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Joanap variant outbound connection (deleted.rules)
 * 1:46920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46917 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46916 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46915 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46913 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46912 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46910 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46909 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46908 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46907 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46906 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46905 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46904 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 3:46891 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46892 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46889 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46890 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46887 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46888 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46911 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning potentially unauthenticated administrator password change attempt (server-webapp.rules)
 * 3:46914 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning password recovery field reuse attempt (server-webapp.rules)
 * 3:46901 <-> ENABLED <-> BROWSER-OTHER http chunked transfer encoding flowbit attempt (browser-other.rules)
 * 3:46902 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46899 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration Provisioning access control group modification request detected (policy-other.rules)
 * 3:46900 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46893 <-> ENABLED <-> SERVER-OTHER Cisco Prime Collaboration Provisioning Java remote method invocation attempt (server-other.rules)
 * 3:46897 <-> ENABLED <-> SERVER-WEBAPP Cisco Adaptive Security Appliance directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46611 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)
 * 1:11324 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 3 ActiveX function call access (browser-plugins.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)

2018-06-07 15:56:50 UTC

Snort Subscriber Rules Update

Date: 2018-06-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46906 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46912 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46913 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46915 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46916 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46905 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46884 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Joanap variant outbound connection (deleted.rules)
 * 1:46885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Joanap variant outbound connection (malware-cnc.rules)
 * 1:46918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46903 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 1:46904 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 1:46896 <-> DISABLED <-> SERVER-WEBAPP Joomla component GeoContent typename parameter cross site scripting attempt (server-webapp.rules)
 * 1:46919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46898 <-> DISABLED <-> SERVER-WEBAPP Atlassian OAuth plugin multiple versions server side request forgery attempt (server-webapp.rules)
 * 1:46908 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46909 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocturnal outbound connection (malware-cnc.rules)
 * 1:46910 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46907 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46917 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46886 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance ajax_email_connection_test.php command injection attempt (server-webapp.rules)
 * 1:46894 <-> ENABLED <-> MALWARE-CNC Vbs.Worm.SysinfY2X outbound beacon (malware-cnc.rules)
 * 3:46887 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46888 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46889 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46890 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46891 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46892 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46893 <-> ENABLED <-> SERVER-OTHER Cisco Prime Collaboration Provisioning Java remote method invocation attempt (server-other.rules)
 * 3:46897 <-> ENABLED <-> SERVER-WEBAPP Cisco Adaptive Security Appliance directory traversal attempt (server-webapp.rules)
 * 3:46899 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration Provisioning access control group modification request detected (policy-other.rules)
 * 3:46900 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46901 <-> ENABLED <-> BROWSER-OTHER http chunked transfer encoding flowbit attempt (browser-other.rules)
 * 3:46902 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46911 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning potentially unauthenticated administrator password change attempt (server-webapp.rules)
 * 3:46914 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning password recovery field reuse attempt (server-webapp.rules)

Modified Rules:


 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:11324 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 3 ActiveX function call access (browser-plugins.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46611 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)

2018-06-07 15:56:50 UTC

Snort Subscriber Rules Update

Date: 2018-06-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46884 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Joanap variant outbound connection (snort3-deleted.rules)
 * 1:46898 <-> DISABLED <-> SERVER-WEBAPP Atlassian OAuth plugin multiple versions server side request forgery attempt (snort3-server-webapp.rules)
 * 1:46885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Joanap variant outbound connection (snort3-malware-cnc.rules)
 * 1:46906 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (snort3-indicator-compromise.rules)
 * 1:46920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (snort3-file-flash.rules)
 * 1:46917 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (snort3-file-flash.rules)
 * 1:46903 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (snort3-indicator-compromise.rules)
 * 1:46912 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (snort3-browser-firefox.rules)
 * 1:46905 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (snort3-indicator-compromise.rules)
 * 1:46894 <-> ENABLED <-> MALWARE-CNC Vbs.Worm.SysinfY2X outbound beacon (snort3-malware-cnc.rules)
 * 1:46895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocturnal outbound connection (snort3-malware-cnc.rules)
 * 1:46896 <-> DISABLED <-> SERVER-WEBAPP Joomla component GeoContent typename parameter cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46916 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (snort3-file-multimedia.rules)
 * 1:46908 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (snort3-indicator-compromise.rules)
 * 1:46909 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (snort3-indicator-compromise.rules)
 * 1:46919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (snort3-file-flash.rules)
 * 1:46910 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (snort3-indicator-compromise.rules)
 * 1:46886 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance ajax_email_connection_test.php command injection attempt (snort3-server-webapp.rules)
 * 1:46915 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (snort3-file-multimedia.rules)
 * 1:46913 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (snort3-browser-firefox.rules)
 * 1:46904 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (snort3-indicator-compromise.rules)
 * 1:46907 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (snort3-indicator-compromise.rules)
 * 1:46918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (snort3-file-flash.rules)

Modified Rules:


 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (snort3-file-flash.rules)
 * 1:11324 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 3 ActiveX function call access (snort3-browser-plugins.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (snort3-file-flash.rules)
 * 1:46611 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (snort3-malware-cnc.rules)

2018-06-07 15:56:50 UTC

Snort Subscriber Rules Update

Date: 2018-06-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46916 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46909 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46915 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46912 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46907 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46910 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46913 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46917 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46906 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46905 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46898 <-> DISABLED <-> SERVER-WEBAPP Atlassian OAuth plugin multiple versions server side request forgery attempt (server-webapp.rules)
 * 1:46904 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 1:46896 <-> DISABLED <-> SERVER-WEBAPP Joomla component GeoContent typename parameter cross site scripting attempt (server-webapp.rules)
 * 1:46903 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 1:46895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocturnal outbound connection (malware-cnc.rules)
 * 1:46894 <-> ENABLED <-> MALWARE-CNC Vbs.Worm.SysinfY2X outbound beacon (malware-cnc.rules)
 * 1:46886 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance ajax_email_connection_test.php command injection attempt (server-webapp.rules)
 * 1:46908 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Joanap variant outbound connection (malware-cnc.rules)
 * 1:46884 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Joanap variant outbound connection (deleted.rules)
 * 3:46887 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46888 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46889 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46890 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46891 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46892 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46893 <-> ENABLED <-> SERVER-OTHER Cisco Prime Collaboration Provisioning Java remote method invocation attempt (server-other.rules)
 * 3:46897 <-> ENABLED <-> SERVER-WEBAPP Cisco Adaptive Security Appliance directory traversal attempt (server-webapp.rules)
 * 3:46899 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration Provisioning access control group modification request detected (policy-other.rules)
 * 3:46900 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46901 <-> ENABLED <-> BROWSER-OTHER http chunked transfer encoding flowbit attempt (browser-other.rules)
 * 3:46902 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46911 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning potentially unauthenticated administrator password change attempt (server-webapp.rules)
 * 3:46914 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning password recovery field reuse attempt (server-webapp.rules)

Modified Rules:


 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46611 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:11324 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 3 ActiveX function call access (browser-plugins.rules)

2018-06-07 15:56:50 UTC

Snort Subscriber Rules Update

Date: 2018-06-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46885 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Joanap variant outbound connection (malware-cnc.rules)
 * 1:46895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nocturnal outbound connection (malware-cnc.rules)
 * 1:46919 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46906 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46907 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46913 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46920 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46917 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46903 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 1:46884 <-> DISABLED <-> DELETED MALWARE-CNC Win.Trojan.Joanap variant outbound connection (deleted.rules)
 * 1:46894 <-> ENABLED <-> MALWARE-CNC Vbs.Worm.SysinfY2X outbound beacon (malware-cnc.rules)
 * 1:46908 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows processor modification return to user-mode attempt (indicator-compromise.rules)
 * 1:46912 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products JavaScript string replace buffer overflow attempt (browser-firefox.rules)
 * 1:46898 <-> DISABLED <-> SERVER-WEBAPP Atlassian OAuth plugin multiple versions server side request forgery attempt (server-webapp.rules)
 * 1:46916 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46918 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds write attempt (file-flash.rules)
 * 1:46896 <-> DISABLED <-> SERVER-WEBAPP Joomla component GeoContent typename parameter cross site scripting attempt (server-webapp.rules)
 * 1:46910 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46905 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows malicious CONTEXT structure creation attempt (indicator-compromise.rules)
 * 1:46886 <-> DISABLED <-> SERVER-WEBAPP Quest KACE Systems Management Appliance ajax_email_connection_test.php command injection attempt (server-webapp.rules)
 * 1:46909 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Interrupt Service Routine stack rollback attempt (indicator-compromise.rules)
 * 1:46915 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player abc file parts heap integer overflow attempt (file-multimedia.rules)
 * 1:46904 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows SYSTEM token stealing attempt (indicator-compromise.rules)
 * 3:46892 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46890 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46889 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46888 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46902 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46891 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning SQL injection attempt (server-webapp.rules)
 * 3:46901 <-> ENABLED <-> BROWSER-OTHER http chunked transfer encoding flowbit attempt (browser-other.rules)
 * 3:46900 <-> ENABLED <-> BROWSER-OTHER invalid final chunk size evasion attempt (browser-other.rules)
 * 3:46887 <-> ENABLED <-> SERVER-WEBAPP Cisco Network Services Orchestrator arbitrary command execution attempt (server-webapp.rules)
 * 3:46897 <-> ENABLED <-> SERVER-WEBAPP Cisco Adaptive Security Appliance directory traversal attempt (server-webapp.rules)
 * 3:46893 <-> ENABLED <-> SERVER-OTHER Cisco Prime Collaboration Provisioning Java remote method invocation attempt (server-other.rules)
 * 3:46914 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning password recovery field reuse attempt (server-webapp.rules)
 * 3:46911 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning potentially unauthenticated administrator password change attempt (server-webapp.rules)
 * 3:46899 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration Provisioning access control group modification request detected (policy-other.rules)

Modified Rules:


 * 1:11324 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 3 ActiveX function call access (browser-plugins.rules)
 * 1:46611 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Banload second stage download request (malware-cnc.rules)