Talos Rules 2019-01-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-image, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-01-22 20:09:38 UTC

Snort Subscriber Rules Update

Date: 2019-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48939 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48935 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager TMCM SQL injection attempt (server-webapp.rules)
 * 1:48905 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48936 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48906 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48937 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:48907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48938 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48942 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48943 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48944 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48945 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48913 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48914 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48915 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48916 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48919 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48918 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48933 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48929 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48925 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48934 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48931 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48932 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48930 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48927 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48928 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48920 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48926 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48923 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48924 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48922 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48921 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48902 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48917 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)

Modified Rules:


 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:32318 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:32317 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:19198 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)

2019-01-22 20:09:38 UTC

Snort Subscriber Rules Update

Date: 2019-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48935 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager TMCM SQL injection attempt (server-webapp.rules)
 * 1:48906 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48937 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:48936 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48905 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48939 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48938 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48942 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48943 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48944 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48945 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48914 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48915 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48916 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48917 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48919 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48918 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48913 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48934 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48933 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48929 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48931 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48932 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48925 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48930 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48927 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48928 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48926 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48923 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48924 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48920 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48922 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48921 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48902 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)

Modified Rules:


 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:19198 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:32318 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:32317 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)

2019-01-22 20:09:38 UTC

Snort Subscriber Rules Update

Date: 2019-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
 * 1:48936 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager TMCM SQL injection attempt (snort3-server-webapp.rules)
 * 1:48935 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48938 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (snort3-malware-other.rules)
 * 1:48937 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (snort3-file-image.rules)
 * 1:48939 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (snort3-malware-other.rules)
 * 1:48904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (snort3-malware-cnc.rules)
 * 1:48905 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:48906 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:48907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48932 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48945 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (snort3-file-pdf.rules)
 * 1:48944 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (snort3-file-pdf.rules)
 * 1:48943 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (snort3-file-pdf.rules)
 * 1:48942 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (snort3-file-pdf.rules)
 * 1:48941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (snort3-malware-cnc.rules)
 * 1:48940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (snort3-malware-cnc.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
 * 1:48913 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48914 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48915 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48916 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48919 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48918 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48917 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48924 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48923 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48922 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48921 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48920 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48902 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
 * 1:48911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48934 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48933 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48931 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48929 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48930 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48927 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48928 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48925 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)
 * 1:48926 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (snort3-file-image.rules)

Modified Rules:


 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:19198 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (snort3-browser-ie.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (snort3-browser-ie.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (snort3-file-other.rules)
 * 1:32318 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (snort3-browser-ie.rules)
 * 1:32317 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (snort3-browser-ie.rules)

2019-01-22 20:09:38 UTC

Snort Subscriber Rules Update

Date: 2019-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48936 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48935 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager TMCM SQL injection attempt (server-webapp.rules)
 * 1:48906 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48905 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48913 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48914 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48915 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48916 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48917 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48918 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48919 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48945 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48944 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48943 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48942 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48937 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:48938 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48939 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48934 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48932 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48933 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48930 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48931 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48928 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48929 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48926 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48927 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48924 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48925 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48923 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48921 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48922 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48920 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48902 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)

Modified Rules:


 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:32317 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:32318 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:19198 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)

2019-01-22 20:09:38 UTC

Snort Subscriber Rules Update

Date: 2019-01-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48914 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48913 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48908 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48907 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48906 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48905 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:48904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48902 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48900 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager TMCM SQL injection attempt (server-webapp.rules)
 * 1:48930 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48929 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48928 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48927 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48926 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48925 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48924 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48923 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48922 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48921 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48920 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48919 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48918 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48917 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48916 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48915 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48933 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48932 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48931 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48936 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48935 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48934 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro tga file heap overflow attempt (file-image.rules)
 * 1:48937 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:48940 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48939 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48938 <-> ENABLED <-> MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script (malware-other.rules)
 * 1:48943 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48942 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48941 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt (malware-cnc.rules)
 * 1:48944 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)
 * 1:48945 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read (file-pdf.rules)

Modified Rules:


 * 1:19198 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:31027 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31030 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:32317 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:32318 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onreadystatechange use after free attempt (browser-ie.rules)
 * 1:34418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:34419 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Element object use-after-free attempt (browser-ie.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)