Talos Rules 2018-07-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-image, file-other, file-pdf, malware-cnc, malware-other, os-other, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-07-19 17:19:51 UTC

Snort Subscriber Rules Update

Date: 2018-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47259 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47256 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot inbound connection (malware-cnc.rules)
 * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47258 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47289 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47238 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47283 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47287 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47284 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47278 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Gandcrab variant network share encryption attempt (malware-other.rules)
 * 1:47242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47257 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47277 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47275 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47276 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47260 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47261 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47236 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Prowli variant outbound connection (malware-cnc.rules)
 * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47255 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47291 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47293 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47268 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47246 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:47267 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47269 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47270 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 1:47271 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 1:47274 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47252 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47251 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47262 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47253 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:47263 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47266 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47254 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47290 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47288 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47294 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47249 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47250 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 3:47281 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)
 * 3:47273 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)
 * 3:47272 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)
 * 3:47286 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)
 * 3:47282 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)
 * 3:47285 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)

Modified Rules:


 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules)
 * 3:31983 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)

2018-07-19 17:19:51 UTC

Snort Subscriber Rules Update

Date: 2018-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47293 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47294 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47275 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47287 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47290 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47289 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47283 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47284 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47278 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Gandcrab variant network share encryption attempt (malware-other.rules)
 * 1:47277 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47236 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Prowli variant outbound connection (malware-cnc.rules)
 * 1:47237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47238 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47288 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot inbound connection (malware-cnc.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:47245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47246 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47249 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47250 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47251 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47252 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47253 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:47274 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47254 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47291 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47276 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47255 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47256 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47257 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47258 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47259 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47260 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47261 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47262 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47263 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47266 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47267 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47268 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47269 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47270 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 1:47271 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 3:47273 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)
 * 3:47272 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)
 * 3:47286 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)
 * 3:47285 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)
 * 3:47282 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)
 * 3:47281 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)

Modified Rules:


 * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 3:31983 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)

2018-07-19 17:19:51 UTC

Snort Subscriber Rules Update

Date: 2018-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47284 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (snort3-file-other.rules)
 * 1:47261 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47287 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:47249 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47283 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (snort3-file-other.rules)
 * 1:47289 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:47290 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:47294 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (snort3-browser-ie.rules)
 * 1:47293 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (snort3-browser-ie.rules)
 * 1:47292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (snort3-browser-ie.rules)
 * 1:47238 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47291 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (snort3-browser-ie.rules)
 * 1:47288 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:47255 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47246 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (snort3-malware-cnc.rules)
 * 1:47245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (snort3-file-pdf.rules)
 * 1:47242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (snort3-malware-cnc.rules)
 * 1:47243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot inbound connection (snort3-malware-cnc.rules)
 * 1:47241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (snort3-malware-cnc.rules)
 * 1:47259 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47257 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47260 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47258 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47278 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Gandcrab variant network share encryption attempt (snort3-malware-other.rules)
 * 1:47279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47276 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47277 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47274 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47236 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Prowli variant outbound connection (snort3-malware-cnc.rules)
 * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (snort3-file-pdf.rules)
 * 1:47254 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (snort3-file-image.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (snort3-file-image.rules)
 * 1:47275 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47270 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:47271 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:47268 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47269 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47266 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47267 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (snort3-malware-cnc.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (snort3-malware-cnc.rules)
 * 1:47262 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47263 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)
 * 1:47250 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47251 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules)
 * 1:47252 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules)
 * 1:47253 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (snort3-policy-other.rules)
 * 1:47256 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (snort3-file-other.rules)

Modified Rules:


 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (snort3-exploit-kit.rules)
 * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (snort3-pua-other.rules)

2018-07-19 17:19:51 UTC

Snort Subscriber Rules Update

Date: 2018-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47278 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Gandcrab variant network share encryption attempt (malware-other.rules)
 * 1:47280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47289 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47252 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47238 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot inbound connection (malware-cnc.rules)
 * 1:47251 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47249 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47250 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47246 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:47288 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47287 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47283 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47284 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47294 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47293 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47291 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47290 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47236 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Prowli variant outbound connection (malware-cnc.rules)
 * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47254 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47256 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47253 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:47255 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47277 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47275 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47276 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47271 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 1:47274 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47269 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47270 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 1:47267 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47268 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47266 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47263 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47261 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47262 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47259 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47260 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47257 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47258 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 3:47286 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)
 * 3:47282 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)
 * 3:47285 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)
 * 3:47272 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)
 * 3:47281 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)
 * 3:47273 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)

Modified Rules:


 * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 3:31983 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)

2018-07-19 17:19:51 UTC

Snort Subscriber Rules Update

Date: 2018-07-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47263 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47246 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47245 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS TTF out-of-bounds read attempt (file-other.rules)
 * 1:47244 <-> ENABLED <-> MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon (malware-cnc.rules)
 * 1:47243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot inbound connection (malware-cnc.rules)
 * 1:47242 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47241 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mylobot additional payload download (malware-cnc.rules)
 * 1:47240 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47239 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader U3D data stream heap overflow attempt (file-pdf.rules)
 * 1:47238 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47236 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Prowli variant outbound connection (malware-cnc.rules)
 * 1:47262 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47261 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47260 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47259 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47258 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47257 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47256 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47255 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47254 <-> DISABLED <-> FILE-OTHER Microsoft Excel malicious CSV code execution attempt (file-other.rules)
 * 1:47253 <-> ENABLED <-> POLICY-OTHER cryptomining javascript client detected (policy-other.rules)
 * 1:47252 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47251 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47250 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47249 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out-of-bounds read attempt (file-other.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:47269 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47266 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47264 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:47268 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47267 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47270 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 1:47275 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47274 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47271 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSL value-of select transformation out-of-bounds write attempt (file-pdf.rules)
 * 1:47277 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47276 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file PPDoc out-of-bounds read attempt (file-other.rules)
 * 1:47278 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Gandcrab variant network share encryption attempt (malware-other.rules)
 * 1:47294 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47293 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47292 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47291 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:47290 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47289 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript exportAsFDFStr out-of-bounds write attempt (file-pdf.rules)
 * 1:47288 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47287 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript XSLT parsing out-of-bounds read attempt (file-pdf.rules)
 * 1:47284 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47283 <-> DISABLED <-> FILE-OTHER Adobe Reader HTML to PDF conversion getMatchedCSSRules use-after-free attempt (file-other.rules)
 * 1:47280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:47279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 3:47272 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)
 * 3:47273 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)
 * 3:47281 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)
 * 3:47282 <-> ENABLED <-> SERVER-OTHER Cisco SD-WAN Solution default login attempt (server-other.rules)
 * 3:47285 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)
 * 3:47286 <-> ENABLED <-> SERVER-OTHER Cisco Policy Suite interface unauthenticated access attempt (server-other.rules)

Modified Rules:


 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected (exploit-kit.rules)
 * 1:45549 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency mining pool connection attempt (pua-other.rules)
 * 3:31983 <-> ENABLED <-> OS-OTHER DHCPv6 flood denial of service attempt (os-other.rules)