Talos Rules 2018-12-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-8583: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48515 through 48516.

Microsoft Vulnerability CVE-2018-8617: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2018-8618: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48509 through 48510.

Microsoft Vulnerability CVE-2018-8619: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48531 through 48532.

Microsoft Vulnerability CVE-2018-8624: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48517 through 48518.

Microsoft Vulnerability CVE-2018-8629: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48513 through 48514.

Microsoft Vulnerability CVE-2018-8631: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48533 through 48534.

Microsoft Vulnerability CVE-2018-8634: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48519 through 48520.

Cisco Talos would like to thank Symantec and the Cyber Threat Alliance for working with us to protect our users from Seedworm, rules are identified with GID 1, SIDs 48559 through 48562.

Talos also has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, file-flash, file-identify, file-other, file-pdf, malware-cnc, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-12-11 18:14:11 UTC

Snort Subscriber Rules Update

Date: 2018-12-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48556 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48555 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48567 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil variant outbound connection (malware-cnc.rules)
 * 1:48560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48557 <-> DISABLED <-> FILE-OTHER Omron CX-Supervisor malicious project file download attempt (file-other.rules)
 * 1:48510 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48565 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48504 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48509 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48511 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48566 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48512 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48514 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48515 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48516 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48517 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48533 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48534 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48535 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48536 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48537 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48538 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48518 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48519 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48520 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48539 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48563 <-> DISABLED <-> SERVER-WEBAPP Pilz PASvisu arbitrary file upload attempt (server-webapp.rules)
 * 1:48503 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48540 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48564 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48541 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48554 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48542 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48543 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48544 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48545 <-> DISABLED <-> SERVER-OTHER LSIS XP-Manager denial of service attempt (server-other.rules)
 * 1:48546 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48547 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48548 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48549 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48550 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48551 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Azorult outbound connection (malware-cnc.rules)
 * 1:48553 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file download request (file-identify.rules)
 * 1:48561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
 * 3:48528 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0736 attack attempt (protocol-scada.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48522 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48525 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0741 attack attempt (protocol-scada.rules)
 * 3:48521 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0739 attack attempt (protocol-scada.rules)
 * 3:48530 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)
 * 3:48526 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0740 attack attempt (protocol-scada.rules)
 * 3:48529 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)
 * 3:48524 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0735 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)

2018-12-11 18:14:11 UTC

Snort Subscriber Rules Update

Date: 2018-12-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48567 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48564 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48551 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48565 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48556 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48550 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48566 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48557 <-> DISABLED <-> FILE-OTHER Omron CX-Supervisor malicious project file download attempt (file-other.rules)
 * 1:48560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Azorult outbound connection (malware-cnc.rules)
 * 1:48553 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file download request (file-identify.rules)
 * 1:48554 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48503 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48504 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48509 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48510 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48511 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48555 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48512 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48514 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48515 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48516 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48517 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48518 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48519 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48520 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48533 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48549 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48534 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48535 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48536 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48537 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48538 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48539 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48540 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48541 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48563 <-> DISABLED <-> SERVER-WEBAPP Pilz PASvisu arbitrary file upload attempt (server-webapp.rules)
 * 1:48558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil variant outbound connection (malware-cnc.rules)
 * 1:48542 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48543 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48544 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48545 <-> DISABLED <-> SERVER-OTHER LSIS XP-Manager denial of service attempt (server-other.rules)
 * 1:48546 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48547 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48548 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 3:48521 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0739 attack attempt (protocol-scada.rules)
 * 3:48524 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0735 attack attempt (protocol-scada.rules)
 * 3:48530 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48529 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)
 * 3:48522 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48526 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0740 attack attempt (protocol-scada.rules)
 * 3:48525 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0741 attack attempt (protocol-scada.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
 * 3:48528 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0736 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)

2018-12-11 18:14:11 UTC

Snort Subscriber Rules Update

Date: 2018-12-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (snort3-malware-cnc.rules)
 * 1:48507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (snort3-malware-cnc.rules)
 * 1:48563 <-> DISABLED <-> SERVER-WEBAPP Pilz PASvisu arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:48560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (snort3-malware-cnc.rules)
 * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (snort3-malware-cnc.rules)
 * 1:48515 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:48514 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:48564 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (snort3-browser-firefox.rules)
 * 1:48562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (snort3-malware-cnc.rules)
 * 1:48561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (snort3-malware-cnc.rules)
 * 1:48565 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (snort3-browser-firefox.rules)
 * 1:48567 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:48566 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:48509 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:48516 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:48517 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:48518 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:48519 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (snort3-browser-ie.rules)
 * 1:48520 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (snort3-browser-ie.rules)
 * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (snort3-browser-ie.rules)
 * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (snort3-browser-ie.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:48536 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48537 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48538 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48539 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48540 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48541 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48542 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48543 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48544 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:48545 <-> DISABLED <-> SERVER-OTHER LSIS XP-Manager denial of service attempt (snort3-server-other.rules)
 * 1:48546 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (snort3-browser-webkit.rules)
 * 1:48547 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (snort3-browser-webkit.rules)
 * 1:48548 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (snort3-server-other.rules)
 * 1:48549 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (snort3-server-webapp.rules)
 * 1:48550 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (snort3-server-webapp.rules)
 * 1:48551 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (snort3-server-webapp.rules)
 * 1:48552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Azorult outbound connection (snort3-malware-cnc.rules)
 * 1:48553 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file download request (snort3-file-identify.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (snort3-malware-cnc.rules)
 * 1:48512 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (snort3-file-pdf.rules)
 * 1:48511 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (snort3-file-pdf.rules)
 * 1:48559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (snort3-malware-cnc.rules)
 * 1:48554 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (snort3-file-identify.rules)
 * 1:48555 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (snort3-file-identify.rules)
 * 1:48533 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (snort3-browser-ie.rules)
 * 1:48504 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (snort3-malware-cnc.rules)
 * 1:48534 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (snort3-browser-ie.rules)
 * 1:48556 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (snort3-file-identify.rules)
 * 1:48557 <-> DISABLED <-> FILE-OTHER Omron CX-Supervisor malicious project file download attempt (snort3-file-other.rules)
 * 1:48510 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:48558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil variant outbound connection (snort3-malware-cnc.rules)
 * 1:48503 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (snort3-malware-cnc.rules)
 * 1:48535 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (snort3-browser-plugins.rules)

Modified Rules:


 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (snort3-server-webapp.rules)

2018-12-11 18:14:11 UTC

Snort Subscriber Rules Update

Date: 2018-12-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48556 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48567 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48566 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48565 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48564 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48563 <-> DISABLED <-> SERVER-WEBAPP Pilz PASvisu arbitrary file upload attempt (server-webapp.rules)
 * 1:48562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48557 <-> DISABLED <-> FILE-OTHER Omron CX-Supervisor malicious project file download attempt (file-other.rules)
 * 1:48559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil variant outbound connection (malware-cnc.rules)
 * 1:48504 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48511 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48512 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48503 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48514 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48515 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48510 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48516 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48517 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48518 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48519 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48520 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48533 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48534 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48535 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48536 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48537 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48538 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48539 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48540 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48541 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48542 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48543 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48544 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48545 <-> DISABLED <-> SERVER-OTHER LSIS XP-Manager denial of service attempt (server-other.rules)
 * 1:48546 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48547 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48548 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48549 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48550 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48551 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48555 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Azorult outbound connection (malware-cnc.rules)
 * 1:48553 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file download request (file-identify.rules)
 * 1:48509 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48554 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 3:48521 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0739 attack attempt (protocol-scada.rules)
 * 3:48522 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48524 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0735 attack attempt (protocol-scada.rules)
 * 3:48525 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0741 attack attempt (protocol-scada.rules)
 * 3:48528 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0736 attack attempt (protocol-scada.rules)
 * 3:48526 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0740 attack attempt (protocol-scada.rules)
 * 3:48529 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
 * 3:48530 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)

2018-12-11 18:14:11 UTC

Snort Subscriber Rules Update

Date: 2018-12-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48556 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48510 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48509 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48504 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48503 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48511 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48512 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48514 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48515 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48516 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48517 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48518 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48519 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48520 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48533 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48534 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48535 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48536 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48557 <-> DISABLED <-> FILE-OTHER Omron CX-Supervisor malicious project file download attempt (file-other.rules)
 * 1:48537 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48538 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48539 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48540 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48541 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48542 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48543 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48544 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48545 <-> DISABLED <-> SERVER-OTHER LSIS XP-Manager denial of service attempt (server-other.rules)
 * 1:48546 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48547 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48548 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48549 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48550 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48551 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Azorult outbound connection (malware-cnc.rules)
 * 1:48553 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file download request (file-identify.rules)
 * 1:48555 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48567 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48566 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48565 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48564 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48563 <-> DISABLED <-> SERVER-WEBAPP Pilz PASvisu arbitrary file upload attempt (server-webapp.rules)
 * 1:48562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil variant outbound connection (malware-cnc.rules)
 * 1:48506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48554 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 3:48521 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0739 attack attempt (protocol-scada.rules)
 * 3:48522 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48524 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0735 attack attempt (protocol-scada.rules)
 * 3:48525 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0741 attack attempt (protocol-scada.rules)
 * 3:48526 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0740 attack attempt (protocol-scada.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
 * 3:48528 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0736 attack attempt (protocol-scada.rules)
 * 3:48530 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)
 * 3:48529 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)

2018-12-11 18:14:11 UTC

Snort Subscriber Rules Update

Date: 2018-12-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48509 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48508 <-> DISABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48507 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt (malware-cnc.rules)
 * 1:48505 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt (malware-cnc.rules)
 * 1:48504 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48503 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection (malware-cnc.rules)
 * 1:48535 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48534 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48533 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Jscript.Encode out-of-bounds read attempt (browser-ie.rules)
 * 1:48532 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48531 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript execution policy bypass attempt (browser-ie.rules)
 * 1:48520 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48519 <-> DISABLED <-> BROWSER-IE Microsoft Edge buffer overflow attempt (browser-ie.rules)
 * 1:48518 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48517 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra engine memory corruption attempt (browser-ie.rules)
 * 1:48516 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48515 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48514 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48513 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:48512 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48511 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro PDF file use-after-free attempt (file-pdf.rules)
 * 1:48510 <-> DISABLED <-> BROWSER-IE Microsoft Edge Browser Chakra script type confusion exploit attempt (browser-ie.rules)
 * 1:48538 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48537 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48536 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48541 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48540 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48539 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48543 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48542 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48546 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48545 <-> DISABLED <-> SERVER-OTHER LSIS XP-Manager denial of service attempt (server-other.rules)
 * 1:48544 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess 7.0 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:48548 <-> ENABLED <-> SERVER-OTHER Kubernetes API Server bypass attempt (server-other.rules)
 * 1:48547 <-> DISABLED <-> BROWSER-WEBKIT WebKit RegEx engine optimization arbitrary code execution attempt (browser-webkit.rules)
 * 1:48549 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48567 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48566 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48565 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48564 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox javascript type confusion code execution attempt (browser-firefox.rules)
 * 1:48563 <-> DISABLED <-> SERVER-WEBAPP Pilz PASvisu arbitrary file upload attempt (server-webapp.rules)
 * 1:48562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Powermud variant outbound connection (malware-cnc.rules)
 * 1:48558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dofoil variant outbound connection (malware-cnc.rules)
 * 1:48557 <-> DISABLED <-> FILE-OTHER Omron CX-Supervisor malicious project file download attempt (file-other.rules)
 * 1:48556 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48555 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48554 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file attachment detected (file-identify.rules)
 * 1:48553 <-> ENABLED <-> FILE-IDENTIFY Omron CX-Supervisor project file file download request (file-identify.rules)
 * 1:48552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Azorult outbound connection (malware-cnc.rules)
 * 1:48551 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 1:48550 <-> ENABLED <-> SERVER-WEBAPP Apache Superset python pickle library remote code execution attempt (server-webapp.rules)
 * 3:48521 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0739 attack attempt (protocol-scada.rules)
 * 3:48522 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:48524 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0735 attack attempt (protocol-scada.rules)
 * 3:48525 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0741 attack attempt (protocol-scada.rules)
 * 3:48526 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0740 attack attempt (protocol-scada.rules)
 * 3:48527 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0737 attack attempt (protocol-scada.rules)
 * 3:48528 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0736 attack attempt (protocol-scada.rules)
 * 3:48529 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)
 * 3:48530 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0744 attack attempt (browser-other.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48428 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup GlobalViewService.pm command injection attempt (server-webapp.rules)