Talos Rules 2019-07-11
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, file-multimedia, file-office, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

SIDs 44989-44990, 45132-45137, 45466-45467, 45511-45512, 46106-46107 provide coverage for CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798. Based on new threat intelligence, we are releasing additional coverage for these CVEs - SIDs 50684, 50685, 50689-50695.

Change logs

2019-07-11 13:07:33 UTC

Snort Subscriber Rules Update

Date: 2019-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules)
 * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules)
 * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules)
 * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)

Modified Rules:


 * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
 * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
 * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)

2019-07-11 13:07:33 UTC

Snort Subscriber Rules Update

Date: 2019-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules)
 * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules)
 * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules)
 * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)

Modified Rules:


 * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
 * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)

2019-07-11 13:07:33 UTC

Snort Subscriber Rules Update

Date: 2019-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules)
 * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules)
 * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules)
 * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)

Modified Rules:


 * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
 * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)

2019-07-11 13:07:33 UTC

Snort Subscriber Rules Update

Date: 2019-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (snort3-server-webapp.rules)
 * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (snort3-file-office.rules)
 * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (snort3-file-multimedia.rules)
 * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (snort3-server-webapp.rules)
 * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (snort3-file-multimedia.rules)
 * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (snort3-file-office.rules)
 * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules)
 * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules)
 * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (snort3-malware-cnc.rules)
 * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (snort3-malware-cnc.rules)
 * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (snort3-server-webapp.rules)
 * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (snort3-server-webapp.rules)
 * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (snort3-malware-cnc.rules)
 * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules)
 * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (snort3-browser-firefox.rules)
 * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (snort3-malware-other.rules)
 * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (snort3-malware-other.rules)
 * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules)
 * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (snort3-file-office.rules)

Modified Rules:


 * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (snort3-malware-cnc.rules)
 * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (snort3-policy-other.rules)
 * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (snort3-policy-other.rules)
 * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (snort3-malware-cnc.rules)

2019-07-11 13:07:33 UTC

Snort Subscriber Rules Update

Date: 2019-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules)
 * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules)
 * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules)
 * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)

Modified Rules:


 * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
 * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)

2019-07-11 13:07:33 UTC

Snort Subscriber Rules Update

Date: 2019-07-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50710 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50684 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50707 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swizzor variant outbound connection attempt (malware-cnc.rules)
 * 1:50685 <-> DISABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF embedded OLE evasion attempt (file-office.rules)
 * 1:50693 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50688 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50709 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50689 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RoyalRoad APT campaign outbound connection (malware-cnc.rules)
 * 1:50706 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50687 <-> DISABLED <-> FILE-MULTIMEDIA Quicktime MJPEG Frame stsd Atom Heap Overflow attempt (file-multimedia.rules)
 * 1:50691 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50690 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50692 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor RTF evasion attempt (file-office.rules)
 * 1:50695 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50711 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin SQL injection attempt (server-webapp.rules)
 * 1:50705 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50702 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50703 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50708 <-> DISABLED <-> SERVER-WEBAPP WordPress Rencontre plugin cross site scripting attempt (server-webapp.rules)
 * 1:50701 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50704 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:50694 <-> ENABLED <-> MALWARE-OTHER Microsoft Office Equation Editor remote code execution attempt (malware-other.rules)
 * 1:50700 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50698 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant payload download attempt (malware-cnc.rules)
 * 1:50699 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Beapy variant outbound cnc connection (malware-cnc.rules)
 * 1:50696 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)
 * 1:50697 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox RemotePrompt sandbox escape attempt (browser-firefox.rules)

Modified Rules:


 * 1:50008 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50009 <-> ENABLED <-> MALWARE-CNC Win.Doc.Dropper SectorB06 malicious rtf dropper download attempt (malware-cnc.rules)
 * 1:50659 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)
 * 1:50660 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic Server blacklisted class use attempt (policy-other.rules)