Talos Rules 2018-11-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, indicator-obfuscation, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-11-08 16:53:28 UTC

Snort Subscriber Rules Update

Date: 2018-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48296 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48295 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48318 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48317 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48316 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48315 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48314 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48313 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48312 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48311 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48310 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48309 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48308 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48307 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48306 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48305 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48304 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48303 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48321 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48320 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48319 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48324 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48323 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48322 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48325 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48328 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48327 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48326 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48331 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48330 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48329 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48332 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48353 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DnsService.pm command injection attempt (server-webapp.rules)
 * 1:48352 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48351 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48350 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48349 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48348 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48347 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48346 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48345 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48344 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48343 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48342 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48341 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48340 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48339 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48338 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48337 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48336 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48335 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48334 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48333 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48354 <-> DISABLED <-> SERVER-WEBAPP CVE PHP infinite loop from use of stream filter and convert.iconv file upload attempt (server-webapp.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48357 <-> ENABLED <-> SERVER-WEBAPP Cisco Energy Management Suite external executeScript attempt (server-webapp.rules)
 * 3:48358 <-> ENABLED <-> SERVER-WEBAPP Cisco Stealthwatch Management Console authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

2018-11-08 16:53:28 UTC

Snort Subscriber Rules Update

Date: 2018-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48342 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48295 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48296 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48303 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48304 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48306 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48307 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48309 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48310 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48305 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48311 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48308 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48312 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48313 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48314 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48316 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48317 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48315 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48354 <-> DISABLED <-> SERVER-WEBAPP CVE PHP infinite loop from use of stream filter and convert.iconv file upload attempt (server-webapp.rules)
 * 1:48320 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48321 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48322 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48323 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48324 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48325 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48326 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48327 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48328 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48329 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48330 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48331 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48332 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48333 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48334 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48335 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48336 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48337 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48338 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48339 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48318 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48353 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DnsService.pm command injection attempt (server-webapp.rules)
 * 1:48352 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48351 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48350 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48349 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48348 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48347 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48346 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48345 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48340 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48341 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48319 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48344 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48343 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48357 <-> ENABLED <-> SERVER-WEBAPP Cisco Energy Management Suite external executeScript attempt (server-webapp.rules)
 * 3:48358 <-> ENABLED <-> SERVER-WEBAPP Cisco Stealthwatch Management Console authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

2018-11-08 16:53:28 UTC

Snort Subscriber Rules Update

Date: 2018-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48354 <-> DISABLED <-> SERVER-WEBAPP CVE PHP infinite loop from use of stream filter and convert.iconv file upload attempt (server-webapp.rules)
 * 1:48353 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DnsService.pm command injection attempt (server-webapp.rules)
 * 1:48352 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48351 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48350 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48349 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48347 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48348 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48346 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48345 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48295 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48296 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48305 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48303 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48339 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48307 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48308 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48309 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48310 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48311 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48312 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48313 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48314 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48315 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48316 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48317 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48318 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48319 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48320 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48321 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48322 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48323 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48324 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48325 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48304 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48328 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48329 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48330 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48331 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48332 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48333 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48335 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48334 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48336 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48340 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48326 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48337 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48327 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48338 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48341 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48344 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48343 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48342 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48306 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48357 <-> ENABLED <-> SERVER-WEBAPP Cisco Energy Management Suite external executeScript attempt (server-webapp.rules)
 * 3:48358 <-> ENABLED <-> SERVER-WEBAPP Cisco Stealthwatch Management Console authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

2018-11-08 16:53:28 UTC

Snort Subscriber Rules Update

Date: 2018-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48351 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48296 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (snort3-file-other.rules)
 * 1:48295 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (snort3-file-other.rules)
 * 1:48349 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48350 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48353 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DnsService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:48355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (snort3-malware-cnc.rules)
 * 1:48300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (snort3-malware-cnc.rules)
 * 1:48301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (snort3-malware-cnc.rules)
 * 1:48302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (snort3-malware-cnc.rules)
 * 1:48303 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48304 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48305 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48306 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:48307 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (snort3-malware-cnc.rules)
 * 1:48308 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (snort3-malware-cnc.rules)
 * 1:48309 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48310 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48311 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48312 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48313 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48314 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48315 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48316 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48317 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48318 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48319 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48320 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48321 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48322 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48323 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48324 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48325 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48326 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48327 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48328 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48329 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48330 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48331 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48332 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48333 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48334 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48354 <-> DISABLED <-> SERVER-WEBAPP CVE PHP infinite loop from use of stream filter and convert.iconv file upload attempt (snort3-server-webapp.rules)
 * 1:48335 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48336 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48345 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48337 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48338 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48339 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48340 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48347 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48346 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48341 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48348 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48342 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48343 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (snort3-malware-cnc.rules)
 * 1:48344 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (snort3-malware-cnc.rules)
 * 1:48352 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (snort3-protocol-voip.rules)

Modified Rules:


 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (snort3-protocol-voip.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (snort3-protocol-voip.rules)

2018-11-08 16:53:28 UTC

Snort Subscriber Rules Update

Date: 2018-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48341 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48352 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48350 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48344 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48342 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48343 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48351 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48354 <-> DISABLED <-> SERVER-WEBAPP CVE PHP infinite loop from use of stream filter and convert.iconv file upload attempt (server-webapp.rules)
 * 1:48353 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DnsService.pm command injection attempt (server-webapp.rules)
 * 1:48347 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48295 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48296 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48303 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48304 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48305 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48306 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48307 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48308 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48309 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48310 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48311 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48312 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48313 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48314 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48315 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48316 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48317 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48318 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48319 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48320 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48321 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48322 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48323 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48324 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48325 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48326 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48327 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48328 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48329 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48345 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48340 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48330 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48331 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48332 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48333 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48348 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48334 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48335 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48346 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48349 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48336 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48339 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48337 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48338 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48357 <-> ENABLED <-> SERVER-WEBAPP Cisco Energy Management Suite external executeScript attempt (server-webapp.rules)
 * 3:48358 <-> ENABLED <-> SERVER-WEBAPP Cisco Stealthwatch Management Console authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

2018-11-08 16:53:28 UTC

Snort Subscriber Rules Update

Date: 2018-11-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48350 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48351 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48345 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48346 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48353 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup DnsService.pm command injection attempt (server-webapp.rules)
 * 1:48354 <-> DISABLED <-> SERVER-WEBAPP CVE PHP infinite loop from use of stream filter and convert.iconv file upload attempt (server-webapp.rules)
 * 1:48352 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48327 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48333 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48334 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48337 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48349 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48305 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48300 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48296 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48303 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48343 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48344 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48342 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48295 <-> DISABLED <-> FILE-OTHER out-of-bounds write attempt with malicious MAR file detected (file-other.rules)
 * 1:48355 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48348 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48341 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48336 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banking download attempt initiated (malware-cnc.rules)
 * 1:48332 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48330 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48339 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48326 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48335 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48324 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48331 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48322 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48329 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48320 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48325 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48318 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48323 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48316 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48321 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48314 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48319 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48312 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48317 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48310 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48315 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48308 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48313 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48306 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hlsrc obfuscation attempt (indicator-obfuscation.rules)
 * 1:48311 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48304 <-> ENABLED <-> INDICATOR-OBFUSCATION RTF file objdata hex-escape obfuscation attempt (indicator-obfuscation.rules)
 * 1:48309 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telebot variant outbound connection (malware-cnc.rules)
 * 1:48307 <-> ENABLED <-> MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt (malware-cnc.rules)
 * 1:48340 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48338 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48347 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 1:48328 <-> DISABLED <-> PROTOCOL-VOIP Known SIP scanner User-Agent detected (protocol-voip.rules)
 * 3:48297 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48298 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0705 attack attempt (file-other.rules)
 * 3:48357 <-> ENABLED <-> SERVER-WEBAPP Cisco Energy Management Suite external executeScript attempt (server-webapp.rules)
 * 3:48358 <-> ENABLED <-> SERVER-WEBAPP Cisco Stealthwatch Management Console authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:48265 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:48264 <-> DISABLED <-> PROTOCOL-VOIP SIP wildcard VIA address flood attempt (protocol-voip.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)