Talos Rules 2018-08-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-multimedia, file-office, file-pdf, malware-cnc, protocol-tftp, pua-adware, pua-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-08-16 13:33:53 UTC

Snort Subscriber Rules Update

Date: 2018-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules)
 * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules)
 * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules)
 * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules)
 * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules)
 * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules)
 * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules)
 * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)

2018-08-16 13:33:53 UTC

Snort Subscriber Rules Update

Date: 2018-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules)
 * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules)
 * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules)
 * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules)
 * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules)
 * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules)
 * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules)
 * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)

2018-08-16 13:33:53 UTC

Snort Subscriber Rules Update

Date: 2018-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (snort3-file-flash.rules)
 * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (snort3-protocol-tftp.rules)
 * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (snort3-file-office.rules)
 * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (snort3-server-webapp.rules)
 * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (snort3-file-pdf.rules)
 * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (snort3-server-other.rules)
 * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (snort3-file-office.rules)
 * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (snort3-file-multimedia.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (snort3-malware-cnc.rules)
 * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (snort3-file-office.rules)
 * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (snort3-file-multimedia.rules)
 * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (snort3-file-multimedia.rules)
 * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (snort3-file-pdf.rules)
 * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (snort3-file-multimedia.rules)
 * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (snort3-pua-adware.rules)
 * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (snort3-file-flash.rules)
 * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (snort3-pua-adware.rules)
 * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (snort3-server-webapp.rules)
 * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (snort3-server-webapp.rules)
 * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (snort3-server-webapp.rules)
 * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (snort3-server-mail.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (snort3-server-webapp.rules)
 * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (snort3-server-webapp.rules)
 * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (snort3-server-webapp.rules)
 * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (snort3-malware-cnc.rules)
 * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (snort3-malware-cnc.rules)
 * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (snort3-malware-cnc.rules)
 * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (snort3-server-webapp.rules)
 * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (snort3-server-webapp.rules)
 * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules)
 * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (snort3-file-office.rules)
 * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules)
 * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules)
 * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (snort3-server-webapp.rules)
 * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (snort3-malware-cnc.rules)
 * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (snort3-malware-cnc.rules)
 * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (snort3-server-webapp.rules)
 * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (snort3-server-webapp.rules)
 * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (snort3-server-webapp.rules)
 * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (snort3-server-webapp.rules)
 * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (snort3-server-webapp.rules)
 * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (snort3-file-pdf.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules)
 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (snort3-pua-other.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules)

2018-08-16 13:33:52 UTC

Snort Subscriber Rules Update

Date: 2018-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules)
 * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules)
 * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules)
 * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules)
 * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules)
 * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules)
 * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules)
 * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)

2018-08-16 13:33:52 UTC

Snort Subscriber Rules Update

Date: 2018-08-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47546 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected (malware-cnc.rules)
 * 1:47545 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway command injection attempt (server-webapp.rules)
 * 1:47544 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47543 <-> DISABLED <-> SERVER-WEBAPP MicroFocus Secure Messaging Gateway enginelist.php SQL injection attempt (server-webapp.rules)
 * 1:47542 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup StorageGroupService.pm command injection attempt (server-webapp.rules)
 * 1:47541 <-> DISABLED <-> SERVER-MAIL EHLO user overflow attempt (server-mail.rules)
 * 1:47540 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47539 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 1:47538 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web jobs.php SQL injection attempt (server-webapp.rules)
 * 1:47537 <-> DISABLED <-> SERVER-WEBAPP Bacula-Web client-report.php SQL injection attempt (server-webapp.rules)
 * 1:47536 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47535 <-> ENABLED <-> PUA-ADWARE Magic Downloader BHO variant outbound connection (pua-adware.rules)
 * 1:47534 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47533 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed MP4-AVC out-of-bounds read attempt (file-multimedia.rules)
 * 1:47532 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 1:47531 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Vector.String class out-of-bounds read attempt (file-flash.rules)
 * 1:47530 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47529 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Flash Player malformed COMM ID3 frame out-of-bounds read attempt (file-multimedia.rules)
 * 1:47563 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47562 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47561 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric U.motion Builder directory traversal attempt (server-webapp.rules)
 * 1:47560 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47559 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47558 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess CertUpdate directory traversal attempt (server-webapp.rules)
 * 1:47557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection (malware-cnc.rules)
 * 1:47555 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47554 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47553 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47552 <-> DISABLED <-> SERVER-WEBAPP Epic MyChart SQL injection attempt (server-webapp.rules)
 * 1:47551 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47550 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess SCADA SQL injection attempt (server-webapp.rules)
 * 1:47549 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel action cross site scripting attempt (server-webapp.rules)
 * 1:47548 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected (malware-cnc.rules)
 * 1:47547 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected (malware-cnc.rules)
 * 1:47566 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47565 <-> DISABLED <-> FILE-OFFICE LibreOffice WEBSERVICE arbitrary file disclosure attempt (file-office.rules)
 * 1:47564 <-> DISABLED <-> PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt (protocol-tftp.rules)
 * 1:47569 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47568 <-> ENABLED <-> FILE-OFFICE Adobe Flash Player ActiveX security bypass attempt (file-office.rules)
 * 1:47567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zegost variant outbound connection (malware-cnc.rules)
 * 1:47570 <-> DISABLED <-> SERVER-OTHER MikroTik RouterOS Winbox user.dat file read attempt (server-other.rules)
 * 1:47575 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 1:47574 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PDF out of bound write attempt (file-pdf.rules)
 * 3:47571 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47572 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)
 * 3:47573 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance proxy denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:46411 <-> ENABLED <-> PUA-OTHER Mineralt TLS server hello attempt (pua-other.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)