Talos Rules 2019-07-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, file-flash, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-07-02 13:41:44 UTC

Snort Subscriber Rules Update

Date: 2019-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules)
 * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules)
 * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules)
 * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules)
 * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules)
 * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules)
 * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules)
 * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules)
 * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules)
 * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules)
 * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules)
 * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules)
 * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules)
 * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules)
 * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules)
 * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules)
 * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules)
 * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules)
 * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules)
 * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules)
 * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules)
 * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules)
 * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules)
 * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules)
 * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules)
 * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules)
 * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules)
 * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules)
 * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules)
 * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules)
 * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules)
 * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules)
 * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules)
 * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules)
 * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules)
 * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules)
 * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules)
 * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules)
 * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules)
 * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules)
 * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules)
 * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules)
 * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules)
 * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules)
 * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules)
 * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules)
 * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules)
 * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules)
 * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules)
 * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules)
 * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules)
 * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules)
 * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules)
 * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules)
 * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules)
 * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules)
 * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules)
 * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules)
 * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules)
 * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules)
 * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules)
 * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules)
 * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules)
 * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules)
 * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules)
 * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules)
 * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules)
 * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules)
 * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules)
 * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules)
 * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules)
 * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules)
 * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules)
 * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules)
 * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules)
 * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules)
 * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules)
 * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules)
 * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules)
 * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules)
 * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules)
 * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)

2019-07-02 13:41:44 UTC

Snort Subscriber Rules Update

Date: 2019-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules)
 * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules)
 * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules)
 * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules)
 * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules)
 * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules)
 * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules)
 * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules)
 * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules)
 * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules)
 * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules)
 * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules)
 * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules)
 * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules)
 * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules)
 * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules)
 * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules)
 * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules)
 * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules)
 * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules)
 * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules)
 * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules)
 * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules)
 * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules)
 * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules)
 * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules)
 * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules)
 * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules)
 * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules)
 * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules)
 * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules)
 * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules)
 * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules)
 * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules)
 * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules)
 * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules)
 * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules)
 * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules)
 * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules)
 * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules)
 * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules)
 * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules)
 * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules)
 * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules)
 * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules)
 * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules)
 * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules)
 * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules)
 * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules)
 * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules)
 * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules)
 * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules)
 * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules)
 * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules)
 * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules)
 * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules)
 * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules)
 * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules)
 * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules)
 * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules)
 * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules)
 * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules)
 * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules)
 * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules)
 * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules)
 * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules)
 * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules)
 * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules)
 * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules)
 * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules)
 * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules)
 * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules)
 * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules)
 * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules)
 * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules)
 * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules)
 * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules)
 * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules)
 * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules)
 * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules)
 * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules)

Modified Rules:


 * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules)

2019-07-02 13:41:44 UTC

Snort Subscriber Rules Update

Date: 2019-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules)
 * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules)
 * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules)
 * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules)
 * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules)
 * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules)
 * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules)
 * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules)
 * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules)
 * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules)
 * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules)
 * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules)
 * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules)
 * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules)
 * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules)
 * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules)
 * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules)
 * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules)
 * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules)
 * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules)
 * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules)
 * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules)
 * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules)
 * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules)
 * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules)
 * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules)
 * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules)
 * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules)
 * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules)
 * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules)
 * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules)
 * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules)
 * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules)
 * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules)
 * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules)
 * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules)
 * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules)
 * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules)
 * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules)
 * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules)
 * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules)
 * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules)
 * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules)
 * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules)
 * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules)
 * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules)
 * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules)
 * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules)
 * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules)
 * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules)
 * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules)
 * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules)
 * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules)
 * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules)
 * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules)
 * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules)
 * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules)
 * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules)
 * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules)
 * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules)
 * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules)
 * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules)
 * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules)
 * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules)
 * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules)
 * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules)
 * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules)
 * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules)
 * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules)
 * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules)
 * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules)
 * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules)
 * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules)
 * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules)
 * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules)
 * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules)
 * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules)
 * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules)
 * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules)
 * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules)
 * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules)
 * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules)

2019-07-02 13:41:44 UTC

Snort Subscriber Rules Update

Date: 2019-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (snort3-protocol-scada.rules)
 * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (snort3-protocol-scada.rules)
 * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (snort3-protocol-scada.rules)
 * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (snort3-protocol-scada.rules)
 * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (snort3-protocol-scada.rules)
 * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (snort3-protocol-scada.rules)
 * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (snort3-protocol-scada.rules)
 * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (snort3-protocol-scada.rules)
 * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (snort3-malware-cnc.rules)
 * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (snort3-malware-cnc.rules)
 * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (snort3-server-webapp.rules)
 * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules)
 * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules)
 * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (snort3-protocol-scada.rules)
 * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (snort3-malware-other.rules)
 * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (snort3-malware-other.rules)
 * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (snort3-protocol-scada.rules)
 * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (snort3-os-windows.rules)
 * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (snort3-os-windows.rules)
 * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (snort3-malware-cnc.rules)
 * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (snort3-malware-other.rules)
 * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (snort3-protocol-scada.rules)
 * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (snort3-protocol-scada.rules)
 * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (snort3-protocol-scada.rules)
 * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (snort3-protocol-scada.rules)
 * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (snort3-protocol-scada.rules)
 * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (snort3-protocol-scada.rules)
 * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (snort3-protocol-scada.rules)
 * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (snort3-protocol-scada.rules)
 * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (snort3-protocol-scada.rules)
 * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (snort3-protocol-scada.rules)
 * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (snort3-protocol-scada.rules)
 * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (snort3-protocol-scada.rules)
 * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (snort3-malware-cnc.rules)
 * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules)
 * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules)
 * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules)
 * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (snort3-protocol-scada.rules)
 * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (snort3-protocol-scada.rules)
 * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (snort3-protocol-scada.rules)
 * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (snort3-protocol-scada.rules)
 * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (snort3-protocol-scada.rules)
 * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (snort3-protocol-scada.rules)
 * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (snort3-protocol-scada.rules)
 * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (snort3-protocol-scada.rules)
 * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (snort3-protocol-scada.rules)
 * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (snort3-protocol-scada.rules)
 * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (snort3-protocol-scada.rules)
 * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (snort3-protocol-scada.rules)
 * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (snort3-protocol-scada.rules)
 * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (snort3-protocol-scada.rules)
 * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (snort3-protocol-scada.rules)
 * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (snort3-protocol-scada.rules)
 * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (snort3-protocol-scada.rules)
 * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (snort3-protocol-scada.rules)
 * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (snort3-protocol-scada.rules)
 * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (snort3-protocol-scada.rules)
 * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (snort3-protocol-scada.rules)
 * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (snort3-malware-cnc.rules)
 * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (snort3-malware-cnc.rules)
 * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (snort3-malware-cnc.rules)
 * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (snort3-malware-cnc.rules)
 * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (snort3-protocol-scada.rules)
 * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (snort3-protocol-scada.rules)
 * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (snort3-protocol-scada.rules)
 * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (snort3-protocol-scada.rules)
 * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (snort3-file-flash.rules)
 * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (snort3-server-webapp.rules)
 * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (snort3-protocol-scada.rules)
 * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (snort3-protocol-scada.rules)
 * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (snort3-protocol-scada.rules)
 * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (snort3-protocol-scada.rules)
 * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (snort3-protocol-scada.rules)
 * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (snort3-protocol-scada.rules)
 * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (snort3-protocol-scada.rules)
 * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (snort3-protocol-scada.rules)
 * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (snort3-protocol-scada.rules)
 * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (snort3-protocol-scada.rules)
 * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (snort3-protocol-scada.rules)
 * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (snort3-protocol-scada.rules)
 * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (snort3-protocol-scada.rules)
 * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (snort3-protocol-scada.rules)
 * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (snort3-protocol-scada.rules)
 * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (snort3-protocol-scada.rules)
 * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (snort3-protocol-scada.rules)
 * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (snort3-protocol-scada.rules)
 * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (snort3-protocol-scada.rules)
 * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (snort3-protocol-scada.rules)
 * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (snort3-protocol-scada.rules)
 * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (snort3-protocol-scada.rules)
 * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (snort3-protocol-scada.rules)
 * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (snort3-protocol-scada.rules)
 * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (snort3-protocol-scada.rules)
 * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (snort3-protocol-scada.rules)
 * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (snort3-protocol-scada.rules)
 * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (snort3-protocol-scada.rules)
 * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (snort3-protocol-scada.rules)
 * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (snort3-protocol-scada.rules)
 * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (snort3-protocol-scada.rules)

Modified Rules:


 * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (snort3-malware-cnc.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (snort3-server-webapp.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (snort3-server-webapp.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (snort3-server-webapp.rules)
 * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (snort3-malware-cnc.rules)
 * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules)
 * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules)

2019-07-02 13:41:44 UTC

Snort Subscriber Rules Update

Date: 2019-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules)
 * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules)
 * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules)
 * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules)
 * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules)
 * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules)
 * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules)
 * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules)
 * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules)
 * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules)
 * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules)
 * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules)
 * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules)
 * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules)
 * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules)
 * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules)
 * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules)
 * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules)
 * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules)
 * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules)
 * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules)
 * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules)
 * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules)
 * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules)
 * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules)
 * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules)
 * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules)
 * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules)
 * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules)
 * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules)
 * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules)
 * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules)
 * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules)
 * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules)
 * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules)
 * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules)
 * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules)
 * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules)
 * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules)
 * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules)
 * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules)
 * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules)
 * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules)
 * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules)
 * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules)
 * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules)
 * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules)
 * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules)
 * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules)
 * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules)
 * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules)
 * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules)
 * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules)
 * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules)
 * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules)
 * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules)
 * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules)
 * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules)
 * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules)
 * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules)
 * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules)
 * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules)
 * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules)
 * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules)
 * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules)
 * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules)
 * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules)
 * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules)
 * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules)
 * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules)
 * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules)
 * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules)
 * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules)
 * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules)
 * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules)
 * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules)
 * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules)
 * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules)
 * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules)
 * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules)
 * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules)

Modified Rules:


 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules)
 * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)

2019-07-02 13:41:44 UTC

Snort Subscriber Rules Update

Date: 2019-07-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50605 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initializeJournal message (protocol-scada.rules)
 * 1:50604 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU writeJournal message (protocol-scada.rules)
 * 1:50613 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDirectory message (protocol-scada.rules)
 * 1:50598 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventEnrollmentAttributes message (protocol-scada.rules)
 * 1:50601 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmSummary message (protocol-scada.rules)
 * 1:50599 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventEnrollment message (protocol-scada.rules)
 * 1:50614 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileDelete message (protocol-scada.rules)
 * 1:50600 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU acknowledgeEventNotification message (protocol-scada.rules)
 * 1:50603 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU readJournal message (protocol-scada.rules)
 * 1:50596 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventEnrollmentStatus message (protocol-scada.rules)
 * 1:50616 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50618 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50553 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedTypeAttributes message (protocol-scada.rules)
 * 1:50619 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50611 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileOpen message (protocol-scada.rules)
 * 1:50620 <-> ENABLED <-> OS-WINDOWS Executable DICOM 10 file download attempt (os-windows.rules)
 * 1:50621 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50617 <-> ENABLED <-> MALWARE-OTHER Html.Phishing.Necurs DNS compromise attempt (malware-other.rules)
 * 1:50555 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU input message (protocol-scada.rules)
 * 1:50602 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getAlarmEnrollmentSummary message (protocol-scada.rules)
 * 1:50563 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreEntryStatus message (protocol-scada.rules)
 * 1:50530 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50560 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteSemaphore message (protocol-scada.rules)
 * 1:50573 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainUpload message (protocol-scada.rules)
 * 1:50586 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU triggerEvent message (protocol-scada.rules)
 * 1:50581 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reset message (protocol-scada.rules)
 * 1:50585 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventCondition message (protocol-scada.rules)
 * 1:50522 <-> DISABLED <-> SERVER-WEBAPP Infomir Ministra PHP object injection attempt (server-webapp.rules)
 * 1:50564 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateDownloadSequence message (protocol-scada.rules)
 * 1:50587 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU alterEventConditionMonitoring message (protocol-scada.rules)
 * 1:50542 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU read message (protocol-scada.rules)
 * 1:50590 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventAction message (protocol-scada.rules)
 * 1:50554 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedType message (protocol-scada.rules)
 * 1:50545 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariableList message (protocol-scada.rules)
 * 1:50593 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventActionStatus message (protocol-scada.rules)
 * 1:50592 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventAction message (protocol-scada.rules)
 * 1:50548 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteVariableAccess message (protocol-scada.rules)
 * 1:50552 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedType message (protocol-scada.rules)
 * 1:50551 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteNamedVariableList message (protocol-scada.rules)
 * 1:50539 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU identify message (protocol-scada.rules)
 * 1:50576 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createProgramInvocation message (protocol-scada.rules)
 * 1:50543 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU write message (protocol-scada.rules)
 * 1:50550 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNamedVariableListAttributes message (protocol-scada.rules)
 * 1:50580 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU resume message (protocol-scada.rules)
 * 1:50568 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU uploadSegment message (protocol-scada.rules)
 * 1:50578 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU stop message (protocol-scada.rules)
 * 1:50612 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRename message (protocol-scada.rules)
 * 1:50606 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportJournalStatus message (protocol-scada.rules)
 * 1:50607 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteJournal message (protocol-scada.rules)
 * 1:50608 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getCapabilityList message (protocol-scada.rules)
 * 1:50597 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventEnrollment message (protocol-scada.rules)
 * 1:50615 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileRead message (protocol-scada.rules)
 * 1:50541 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getNameList message (protocol-scada.rules)
 * 1:50561 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportSemaphoreStatus message (protocol-scada.rules)
 * 1:50529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50579 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU start message (protocol-scada.rules)
 * 1:50556 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU output message (protocol-scada.rules)
 * 1:50577 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteDomain message (protocol-scada.rules)
 * 1:50527 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50537 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50589 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportEventConditionStatus message (protocol-scada.rules)
 * 1:50591 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteEventCondition message (protocol-scada.rules)
 * 1:50549 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getScatteredAccessAttributes message (protocol-scada.rules)
 * 1:50547 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineNamedVariable message (protocol-scada.rules)
 * 1:50544 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineScatteredAccess message (protocol-scada.rules)
 * 1:50546 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getVariableAccessAttributes message (protocol-scada.rules)
 * 1:50610 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU fileClose message (protocol-scada.rules)
 * 1:50595 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineEventEnrollment message (protocol-scada.rules)
 * 1:50567 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU initiateUploadSequence message (protocol-scada.rules)
 * 1:50571 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU loadDomainContent message (protocol-scada.rules)
 * 1:50609 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU createJournal message (protocol-scada.rules)
 * 1:50570 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU DomainDownload message (protocol-scada.rules)
 * 1:50584 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU obtainFile message (protocol-scada.rules)
 * 1:50582 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU kill message (protocol-scada.rules)
 * 1:50520 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50521 <-> ENABLED <-> MALWARE-CNC Doc.Malware.HWPRokrat variant outbound connection (malware-cnc.rules)
 * 1:50575 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU deleteProgramInvocation message (protocol-scada.rules)
 * 1:50559 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU defineSemaphore message (protocol-scada.rules)
 * 1:50535 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50562 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU reportPoolSemaphoreStatus message (protocol-scada.rules)
 * 1:50524 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50534 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50538 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU status message (protocol-scada.rules)
 * 1:50594 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventActionAttributes message (protocol-scada.rules)
 * 1:50572 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU storeDomainContent message (protocol-scada.rules)
 * 1:50523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50565 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU downloadSegment message (protocol-scada.rules)
 * 1:50566 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateDownloadSequence message (protocol-scada.rules)
 * 1:50569 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU terminateUploadSequence message (protocol-scada.rules)
 * 1:50526 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant payload download attempt (malware-cnc.rules)
 * 1:50583 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getProgramInvocationAttributes message (protocol-scada.rules)
 * 1:50525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)
 * 1:50557 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU takeControl message (protocol-scada.rules)
 * 1:50558 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU relinquishControl message (protocol-scada.rules)
 * 1:50531 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound attempt (malware-cnc.rules)
 * 1:50536 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TVSDK metadata use after free attempt (file-flash.rules)
 * 1:50588 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getEventConditionAttributes message (protocol-scada.rules)
 * 1:50540 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU rename message (protocol-scada.rules)
 * 1:50574 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU getDomainAttributes message (protocol-scada.rules)
 * 1:50533 <-> ENABLED <-> SERVER-WEBAPP Sonatype Nexus Repository Manager remote code execution attempt (server-webapp.rules)
 * 1:50532 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Scranos variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:40066 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit (malware-cnc.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:50304 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50305 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50306 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50307 <-> DISABLED <-> SERVER-WEBAPP OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt (server-webapp.rules)
 * 1:50392 <-> DISABLED <-> SERVER-WEBAPP Belkin Wemo UPnP command injection attempt (server-webapp.rules)
 * 1:50501 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.Vools variant outbound connection (malware-cnc.rules)
 * 1:50518 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:50519 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)