Talos Rules 2019-05-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-image, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-05-30 17:07:39 UTC

Snort Subscriber Rules Update

Date: 2019-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
 * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)

Modified Rules:


 * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)

2019-05-30 17:07:39 UTC

Snort Subscriber Rules Update

Date: 2019-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
 * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
 * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)

Modified Rules:


 * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)

2019-05-30 17:07:39 UTC

Snort Subscriber Rules Update

Date: 2019-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
 * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)

Modified Rules:


 * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)

2019-05-30 17:07:39 UTC

Snort Subscriber Rules Update

Date: 2019-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (snort3-malware-other.rules)
 * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules)
 * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (snort3-file-other.rules)
 * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (snort3-file-other.rules)
 * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules)
 * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (snort3-file-flash.rules)
 * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (snort3-malware-other.rules)
 * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules)
 * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules)
 * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (snort3-file-image.rules)
 * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (snort3-malware-cnc.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (snort3-file-pdf.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (snort3-malware-cnc.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules)
 * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (snort3-file-pdf.rules)
 * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (snort3-file-flash.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (snort3-file-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules)
 * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (snort3-file-other.rules)
 * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules)
 * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules)
 * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (snort3-file-pdf.rules)

2019-05-30 17:07:39 UTC

Snort Subscriber Rules Update

Date: 2019-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
 * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)

Modified Rules:


 * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)

2019-05-30 17:07:39 UTC

Snort Subscriber Rules Update

Date: 2019-05-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50237 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50271 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50244 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50264 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50267 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50238 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50247 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50242 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:50258 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50253 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50245 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-OTHER MultiOS.Backdoor.Agent implant attempt (malware-other.rules)
 * 1:50268 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:50241 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50272 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50263 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50248 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50249 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50250 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Chopper inbound request attempt (malware-other.rules)
 * 1:50255 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50251 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50256 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50243 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds read attempt (file-pdf.rules)
 * 1:50252 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50254 <-> ENABLED <-> FILE-PDF Adobe Acrobat out-of-bounds write attempt (file-pdf.rules)
 * 1:50246 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat out-of-bounds write attempt (file-image.rules)
 * 1:50259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50236 <-> ENABLED <-> FILE-OTHER Adobe Acrobat PostScript file parsing TBuildCharDict use after free attempt (file-other.rules)
 * 1:50262 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50240 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 1:50260 <-> ENABLED <-> MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt (malware-cnc.rules)
 * 1:50239 <-> ENABLED <-> FILE-PDF Adobe Acrobat use after free attempt (file-pdf.rules)
 * 1:50261 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection (malware-cnc.rules)
 * 1:50257 <-> ENABLED <-> FILE-OTHER Adobe Acrobat out-of-bounds read attempt (file-other.rules)
 * 3:50266 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)
 * 3:50274 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
 * 3:50269 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0843 attack attempt (file-image.rules)
 * 3:50273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0841 attack attempt (file-image.rules)
 * 3:50265 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0842 attack attempt (file-image.rules)

Modified Rules:


 * 1:23612 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:47143 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:47144 <-> DISABLED <-> FILE-OTHER Multiple products SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:23611 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)
 * 1:25475 <-> DISABLED <-> FILE-PDF JavaScript contained in an xml template embedded in a pdf attempt (file-pdf.rules)