Snort - Network Intrusion Detection & Prevention System

Talos Rules 2018-10-11

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, deleted, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-linux, os-other, os-windows, protocol-dns, pua-adware, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)

Modified Rules:


 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)

2990

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)

Modified Rules:


 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)

3000

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (snort3-file-other.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (snort3-pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (snort3-pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (snort3-pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (snort3-malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (snort3-server-other.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (snort3-browser-ie.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (snort3-server-webapp.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (snort3-malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (snort3-malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (snort3-server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (snort3-server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (snort3-server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (snort3-server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (snort3-file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (snort3-file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (snort3-file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (snort3-file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (snort3-file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (snort3-server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (snort3-file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (snort3-file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (snort3-file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (snort3-file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (snort3-server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (snort3-malware-cnc.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (snort3-server-other.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (snort3-file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (snort3-file-other.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (snort3-file-image.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (snort3-file-other.rules)

Modified Rules:


 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (snort3-server-webapp.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (snort3-server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (snort3-file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (snort3-file-other.rules)

29110

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)

Modified Rules:


 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)

29111

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)

29120

2018-10-11 14:46:14 UTC

Snort Subscriber Rules Update

Date: 2018-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44919 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44482 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt (protocol-dns.rules)
 * 1:44920 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:45394 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt (server-other.rules)
 * 1:45255 <-> ENABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules)
 * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45444 <-> ENABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:45443 <-> ENABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:47821 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt (server-other.rules)
 * 1:47820 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt (server-other.rules)
 * 1:47683 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47682 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:46784 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt (server-other.rules)
 * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:45839 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (deleted.rules)
 * 1:45838 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (deleted.rules)
 * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:48089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48085 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48084 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48082 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent download attempt (malware-cnc.rules)
 * 1:48081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48079 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:48078 <-> DISABLED <-> PUA-ADWARE Win.Adware.OneSystemCare download attempt (pua-adware.rules)
 * 1:48077 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48076 <-> DISABLED <-> PUA-ADWARE Win.Adware.Wajam variant outbound connection (pua-adware.rules)
 * 1:48075 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48074 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds read attempt (file-other.rules)
 * 1:48127 <-> DISABLED <-> SERVER-OTHER Reliance SCADA Control Server Denial of Service attempt (server-other.rules)
 * 1:48110 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48109 <-> DISABLED <-> SERVER-OTHER Aktakom oscilloscope denial of service attempt (server-other.rules)
 * 1:48108 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48107 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:48106 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48105 <-> ENABLED <-> FILE-MULTIMEDIA libvorbis VORBIS audio data out of bounds write attempt (file-multimedia.rules)
 * 1:48104 <-> DISABLED <-> SERVER-WEBAPP CMS Made Simple arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:48103 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48102 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48101 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48100 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JPEG Huffman table memory corruption attempt (file-pdf.rules)
 * 1:48099 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48098 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48097 <-> ENABLED <-> SERVER-WEBAPP D-Link DIR-816 syslogIp command injection attempt (server-webapp.rules)
 * 1:48096 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48095 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48094 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:48093 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MirageFox variant outbound connection (malware-cnc.rules)
 * 1:48091 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Occamy variant outbound connection (malware-cnc.rules)
 * 1:48126 <-> DISABLED <-> SERVER-WEBAPP Joomba component Timetable Schedule 3.6.8 SQL injection attempt (server-webapp.rules)
 * 1:48125 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48124 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF ImageConversion out-of-bounds write attempt (file-other.rules)
 * 1:48123 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48122 <-> ENABLED <-> FILE-OTHER Microsoft .NET Resources file remote code execution attempt (file-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:48120 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48119 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48118 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48117 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48116 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48115 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ITranslator variant outbound connection (malware-cnc.rules)
 * 1:48114 <-> DISABLED <-> SERVER-OTHER Delta Industrial Automation Robot DRAStudio Arbitrary File Disclosure attempt (server-other.rules)
 * 1:48113 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48112 <-> DISABLED <-> FILE-PDF Foxit Reader uninitialized pointer leak attempt (file-pdf.rules)
 * 1:48111 <-> DISABLED <-> FILE-PDF Foxit Reader text annotations use after free attempt (file-pdf.rules)
 * 1:48128 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48129 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48135 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48134 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat SGI parsing out of bounds read attempt (file-image.rules)
 * 1:48133 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48132 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48131 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48130 <-> DISABLED <-> BROWSER-IE Microsoft Edge sandbox escape attempt (browser-ie.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48140 <-> ENABLED <-> MALWARE-CNC Win.Downloader.XAgent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:48064 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:48065 <-> DISABLED <-> SERVER-WEBAPP WP plugin Localize My Post directory traversal attempt (server-webapp.rules)
 * 1:43973 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)
 * 1:43974 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF comment memory corruption attempt (file-other.rules)