Talos Rules 2018-12-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-12-20 00:16:54 UTC

Snort Subscriber Rules Update

Date: 2018-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules)
 * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules)
 * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules)
 * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules)
 * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules)
 * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules)
 * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules)
 * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules)
 * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
 * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
 * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules)

Modified Rules:


 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)

2018-12-20 00:16:54 UTC

Snort Subscriber Rules Update

Date: 2018-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules)
 * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules)
 * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules)
 * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules)
 * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules)
 * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules)
 * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules)
 * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules)
 * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules)
 * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules)
 * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules)
 * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules)
 * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules)
 * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules)
 * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
 * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)

2018-12-20 00:16:54 UTC

Snort Subscriber Rules Update

Date: 2018-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (snort3-indicator-compromise.rules)
 * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (snort3-indicator-compromise.rules)
 * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (snort3-indicator-compromise.rules)
 * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (snort3-indicator-compromise.rules)
 * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (snort3-indicator-compromise.rules)
 * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (snort3-indicator-compromise.rules)
 * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (snort3-indicator-compromise.rules)
 * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (snort3-indicator-compromise.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (snort3-file-other.rules)
 * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (snort3-indicator-compromise.rules)
 * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (snort3-indicator-compromise.rules)
 * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (snort3-indicator-compromise.rules)
 * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (snort3-indicator-compromise.rules)
 * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (snort3-indicator-compromise.rules)
 * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (snort3-indicator-compromise.rules)
 * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (snort3-indicator-compromise.rules)
 * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (snort3-indicator-compromise.rules)
 * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (snort3-indicator-compromise.rules)
 * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (snort3-indicator-compromise.rules)
 * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (snort3-indicator-compromise.rules)
 * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (snort3-indicator-compromise.rules)
 * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (snort3-indicator-compromise.rules)
 * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (snort3-indicator-compromise.rules)
 * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (snort3-indicator-compromise.rules)
 * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (snort3-indicator-compromise.rules)
 * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (snort3-indicator-compromise.rules)
 * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (snort3-indicator-compromise.rules)
 * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (snort3-indicator-compromise.rules)
 * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (snort3-indicator-compromise.rules)
 * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (snort3-indicator-compromise.rules)
 * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (snort3-indicator-compromise.rules)
 * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (snort3-indicator-compromise.rules)
 * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (snort3-indicator-compromise.rules)
 * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (snort3-indicator-compromise.rules)
 * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (snort3-indicator-compromise.rules)
 * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (snort3-indicator-compromise.rules)
 * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (snort3-indicator-compromise.rules)
 * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (snort3-indicator-compromise.rules)
 * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (snort3-indicator-compromise.rules)
 * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (snort3-indicator-compromise.rules)
 * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (snort3-indicator-compromise.rules)
 * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (snort3-indicator-compromise.rules)
 * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (snort3-indicator-compromise.rules)
 * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (snort3-file-other.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (snort3-file-other.rules)

2018-12-20 00:16:54 UTC

Snort Subscriber Rules Update

Date: 2018-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules)
 * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules)
 * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules)
 * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules)
 * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules)
 * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules)
 * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules)
 * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
 * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
 * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules)

Modified Rules:


 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)

2018-12-20 00:16:54 UTC

Snort Subscriber Rules Update

Date: 2018-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules)
 * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules)
 * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules)
 * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules)
 * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules)
 * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules)
 * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules)
 * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules)
 * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules)
 * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules)
 * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules)
 * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules)
 * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules)
 * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
 * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules)
 * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)

2018-12-20 00:16:53 UTC

Snort Subscriber Rules Update

Date: 2018-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48648 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs dns query (indicator-compromise.rules)
 * 1:48647 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bbs tcp dns query (indicator-compromise.rules)
 * 1:48646 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48645 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file font-load out-of-bounds read attempt (file-other.rules)
 * 1:48643 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48642 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds read attempt (file-other.rules)
 * 1:48641 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48640 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out-of-bounds read attempt (file-other.rules)
 * 1:48664 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo dns query (indicator-compromise.rules)
 * 1:48663 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .neo tcp dns query (indicator-compromise.rules)
 * 1:48662 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre dns query (indicator-compromise.rules)
 * 1:48661 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .libre tcp dns query (indicator-compromise.rules)
 * 1:48660 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy dns query (indicator-compromise.rules)
 * 1:48659 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .indy tcp dns query (indicator-compromise.rules)
 * 1:48658 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher dns query (indicator-compromise.rules)
 * 1:48657 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .gopher tcp dns query (indicator-compromise.rules)
 * 1:48656 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek dns query (indicator-compromise.rules)
 * 1:48655 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .geek tcp dns query (indicator-compromise.rules)
 * 1:48654 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn dns query (indicator-compromise.rules)
 * 1:48653 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .dyn tcp dns query (indicator-compromise.rules)
 * 1:48652 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb dns query (indicator-compromise.rules)
 * 1:48651 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .cyb tcp dns query (indicator-compromise.rules)
 * 1:48650 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan dns query (indicator-compromise.rules)
 * 1:48649 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .chan tcp dns query (indicator-compromise.rules)
 * 1:48667 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o tcp dns query (indicator-compromise.rules)
 * 1:48666 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null dns query (indicator-compromise.rules)
 * 1:48665 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .null tcp dns query (indicator-compromise.rules)
 * 1:48670 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48669 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss tcp dns query (indicator-compromise.rules)
 * 1:48668 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .o dns query (indicator-compromise.rules)
 * 1:48671 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oz tcp dns query (indicator-compromise.rules)
 * 1:48674 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody dns query (indicator-compromise.rules)
 * 1:48673 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .parody tcp dns query (indicator-compromise.rules)
 * 1:48672 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .oss dns query (indicator-compromise.rules)
 * 1:48677 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free tcp dns query (indicator-compromise.rules)
 * 1:48676 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate dns query (indicator-compromise.rules)
 * 1:48675 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .pirate tcp dns query (indicator-compromise.rules)
 * 1:48678 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .free dns query (indicator-compromise.rules)
 * 1:48698 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48697 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48696 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48695 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48694 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48693 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48688 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur dns query (indicator-compromise.rules)
 * 1:48687 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .fur tcp dns query (indicator-compromise.rules)
 * 1:48686 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib dns query (indicator-compromise.rules)
 * 1:48685 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .lib tcp dns query (indicator-compromise.rules)
 * 1:48684 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc dns query (indicator-compromise.rules)
 * 1:48683 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .emc tcp dns query (indicator-compromise.rules)
 * 1:48682 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin dns query (indicator-compromise.rules)
 * 1:48681 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .coin tcp dns query (indicator-compromise.rules)
 * 1:48680 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar dns query (indicator-compromise.rules)
 * 1:48679 <-> ENABLED <-> INDICATOR-COMPROMISE DNS suspicious .bazar tcp dns query (indicator-compromise.rules)
 * 3:48644 <-> ENABLED <-> POLICY-OTHER Cisco Adaptive Security Appliance admin REST API access attempt (policy-other.rules)
 * 3:48638 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)
 * 3:48639 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers photobak command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:47132 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro XSLT out-of-bounds read attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:47131 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF Alphablend memory corruption attempt (file-other.rules)