Talos Rules 2019-07-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-other, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-imap, protocol-nntp, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-telnet, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)

Modified Rules:


 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (snort3-malware-other.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (snort3-malware-other.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (snort3-malware-cnc.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (snort3-malware-cnc.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (snort3-file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (snort3-malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (snort3-file-image.rules)

Modified Rules:


 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (snort3-os-windows.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (snort3-browser-plugins.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (snort3-server-other.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (snort3-protocol-services.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (snort3-malware-other.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (snort3-browser-plugins.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (snort3-server-other.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (snort3-file-multimedia.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (snort3-server-iis.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (snort3-server-mssql.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (snort3-server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (snort3-server-webapp.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (snort3-malware-other.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (snort3-file-multimedia.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (snort3-server-other.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (snort3-server-webapp.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (snort3-server-mssql.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (snort3-server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (snort3-server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (snort3-server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (snort3-server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (snort3-server-iis.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (snort3-os-windows.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (snort3-file-identify.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (snort3-os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (snort3-protocol-ftp.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (snort3-browser-plugins.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (snort3-browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (snort3-server-other.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (snort3-os-windows.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (snort3-server-other.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (snort3-os-windows.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (snort3-protocol-ftp.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (snort3-server-other.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (snort3-server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (snort3-server-mysql.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (snort3-os-windows.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (snort3-server-mysql.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (snort3-browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (snort3-server-oracle.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (snort3-os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (snort3-file-multimedia.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (snort3-os-windows.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (snort3-os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (snort3-os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (snort3-protocol-telnet.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (snort3-os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (snort3-os-windows.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (snort3-server-other.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (snort3-os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (snort3-server-other.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (snort3-protocol-telnet.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (snort3-protocol-dns.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (snort3-server-other.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (snort3-server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (snort3-protocol-nntp.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (snort3-server-other.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (snort3-os-windows.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (snort3-server-oracle.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (snort3-protocol-dns.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (snort3-server-webapp.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (snort3-os-windows.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (snort3-file-other.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (snort3-server-other.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (snort3-server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (snort3-server-other.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (snort3-server-webapp.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (snort3-os-windows.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (snort3-server-other.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (snort3-server-mail.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (snort3-server-webapp.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (snort3-sql.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (snort3-server-iis.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (snort3-protocol-rpc.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (snort3-protocol-rpc.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (snort3-server-webapp.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (snort3-server-mssql.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (snort3-server-webapp.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (snort3-sql.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (snort3-protocol-snmp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (snort3-server-webapp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (snort3-server-iis.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (snort3-server-webapp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (snort3-protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (snort3-protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (snort3-protocol-snmp.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (snort3-protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (snort3-protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (snort3-protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (snort3-protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (snort3-protocol-snmp.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (snort3-server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (snort3-os-windows.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (snort3-server-other.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (snort3-protocol-telnet.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (snort3-server-mysql.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (snort3-browser-plugins.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (snort3-server-mysql.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (snort3-protocol-imap.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (snort3-server-webapp.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (snort3-protocol-telnet.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (snort3-file-pdf.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (snort3-server-other.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (snort3-server-webapp.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (snort3-file-multimedia.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (snort3-indicator-compromise.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (snort3-file-other.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (snort3-indicator-compromise.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (snort3-file-office.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (snort3-file-office.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (snort3-protocol-snmp.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (snort3-protocol-snmp.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (snort3-protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (snort3-protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (snort3-browser-ie.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (snort3-malware-other.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (snort3-browser-plugins.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)

Modified Rules:


 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)

2019-07-30 12:30:51 UTC

Snort Subscriber Rules Update

Date: 2019-07-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50801 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50814 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50823 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50802 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (malware-other.rules)
 * 1:50808 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50798 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI+ interlaced PNG file parsing heap overflow attempt (file-image.rules)
 * 1:50818 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50812 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50815 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50800 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (malware-cnc.rules)
 * 1:50811 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50820 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50822 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50821 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50809 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50810 <-> ENABLED <-> MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (malware-cnc.rules)
 * 1:50819 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 1:50799 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (malware-cnc.rules)
 * 1:50813 <-> DISABLED <-> FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (file-office.rules)
 * 3:50824 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50826 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50827 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50804 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0866 attack attempt (policy-other.rules)
 * 3:50803 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0866 attack attempt (protocol-scada.rules)
 * 3:50807 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)
 * 3:50805 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0868 attack attempt (policy-other.rules)
 * 3:50825 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0876 attack attempt (file-image.rules)
 * 3:50806 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0875 attack attempt (file-image.rules)

Modified Rules:


 * 1:987 <-> DISABLED <-> FILE-IDENTIFY .htr access file download request (file-identify.rules)
 * 1:4990 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:6684 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input ActiveX clsid access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:9422 <-> ENABLED <-> MALWARE-OTHER msblast attempt (malware-other.rules)
 * 1:9642 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF codec list object parsing buffer overflow attempt (os-windows.rules)
 * 1:6686 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX clsid access (browser-plugins.rules)
 * 1:1016 <-> DISABLED <-> SERVER-IIS global.asa access (server-iis.rules)
 * 1:8702 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:9423 <-> ENABLED <-> MALWARE-OTHER lovegate attempt (malware-other.rules)
 * 1:9625 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASX file ref href buffer overflow attempt (os-windows.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:4989 <-> DISABLED <-> SERVER-MSSQL heap-based overflow attempt (server-mssql.rules)
 * 1:6687 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX function call access  (browser-plugins.rules)
 * 1:9383 <-> DISABLED <-> MALWARE-OTHER netsky.y smtp propagation detection (malware-other.rules)
 * 1:604 <-> DISABLED <-> PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt (protocol-services.rules)
 * 1:9790 <-> DISABLED <-> SERVER-OTHER HP-UX lpd command execution attempt (server-other.rules)
 * 1:1413 <-> DISABLED <-> PROTOCOL-SNMP private access udp (protocol-snmp.rules)
 * 1:6681 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:7014 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer NMSA.ASFSourceMediaDescription.1 ActiveX function call access (browser-plugins.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:8084 <-> DISABLED <-> SERVER-WEBAPP CVSTrac filediff function access (server-webapp.rules)
 * 1:7502 <-> DISABLED <-> BROWSER-PLUGINS tsuserex.ADsTSUserEx.1 ActiveX clsid access (browser-plugins.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:7017 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer RDS.DataControl ActiveX function call access (browser-plugins.rules)
 * 1:9641 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF simple index object parsing buffer overflow attempt (os-windows.rules)
 * 1:1177 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:5317 <-> DISABLED <-> SERVER-OTHER pcAnywhere buffer overflow attempt (server-other.rules)
 * 1:6682 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX function call access  (browser-plugins.rules)
 * 1:3397 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:8703 <-> DISABLED <-> SERVER-OTHER IceCast header buffer overflow attempt (server-other.rules)
 * 1:9844 <-> DISABLED <-> FILE-MULTIMEDIA VLC Media Player udp URI format string attempt (file-multimedia.rules)
 * 1:1160 <-> DISABLED <-> SERVER-WEBAPP Netscape dir index wp (server-webapp.rules)
 * 1:49574 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:1183 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1184 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1186 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1188 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:4988 <-> DISABLED <-> SERVER-WEBAPP Barracuda IMG.PL directory traversal attempt (server-webapp.rules)
 * 1:1189 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1190 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1191 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1198 <-> DISABLED <-> SERVER-WEBAPP Netscape Enterprise Server directory view (server-webapp.rules)
 * 1:1242 <-> DISABLED <-> SERVER-IIS ISAPI .ida access (server-iis.rules)
 * 1:1243 <-> DISABLED <-> SERVER-IIS ISAPI .ida attempt (server-iis.rules)
 * 1:9643 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Player ASF marker object parsing buffer overflow attempt (os-windows.rules)
 * 1:1244 <-> DISABLED <-> SERVER-IIS ISAPI .idq attempt (server-iis.rules)
 * 1:1245 <-> DISABLED <-> SERVER-IIS ISAPI .idq access (server-iis.rules)
 * 1:1250 <-> DISABLED <-> OS-OTHER Cisco IOS HTTP configuration attempt (os-other.rules)
 * 1:1377 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1378 <-> DISABLED <-> PROTOCOL-FTP wu-ftp bad file completion attempt (protocol-ftp.rules)
 * 1:1417 <-> DISABLED <-> PROTOCOL-SNMP request udp (protocol-snmp.rules)
 * 1:1418 <-> DISABLED <-> PROTOCOL-SNMP request tcp (protocol-snmp.rules)
 * 1:1415 <-> DISABLED <-> PROTOCOL-SNMP Broadcast request (protocol-snmp.rules)
 * 1:1414 <-> DISABLED <-> PROTOCOL-SNMP private access tcp (protocol-snmp.rules)
 * 1:1725 <-> DISABLED <-> SERVER-IIS +.htr code fragment attempt (server-iis.rules)
 * 1:1419 <-> DISABLED <-> PROTOCOL-SNMP trap udp (protocol-snmp.rules)
 * 1:2649 <-> DISABLED <-> SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt (server-oracle.rules)
 * 1:1422 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt with evasion (protocol-snmp.rules)
 * 1:2003 <-> DISABLED <-> SQL Worm propagation attempt (sql.rules)
 * 1:2126 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt (os-windows.rules)
 * 1:2253 <-> DISABLED <-> SERVER-MAIL XEXCH50 overflow attempt (server-mail.rules)
 * 1:2129 <-> DISABLED <-> SERVER-IIS nsiislog.dll access (server-iis.rules)
 * 1:2004 <-> DISABLED <-> SQL Worm propagation attempt OUTBOUND (sql.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:2050 <-> DISABLED <-> SERVER-MSSQL version overflow attempt (server-mssql.rules)
 * 1:2092 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt UDP (protocol-rpc.rules)
 * 1:1420 <-> DISABLED <-> PROTOCOL-SNMP trap tcp (protocol-snmp.rules)
 * 1:1871 <-> DISABLED <-> SERVER-WEBAPP Oracle XSQLConfig.xml access (server-webapp.rules)
 * 1:1873 <-> DISABLED <-> SERVER-WEBAPP globals.jsa access (server-webapp.rules)
 * 1:2002 <-> DISABLED <-> SERVER-WEBAPP remote include path attempt (server-webapp.rules)
 * 1:1416 <-> DISABLED <-> PROTOCOL-SNMP broadcast trap (protocol-snmp.rules)
 * 1:1421 <-> DISABLED <-> PROTOCOL-SNMP AgentX/tcp request (protocol-snmp.rules)
 * 1:2589 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt (os-windows.rules)
 * 1:2381 <-> DISABLED <-> SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt (server-webapp.rules)
 * 1:2434 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi access (server-webapp.rules)
 * 1:2446 <-> DISABLED <-> SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm (server-other.rules)
 * 1:2485 <-> DISABLED <-> BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access (browser-plugins.rules)
 * 1:2093 <-> DISABLED <-> PROTOCOL-RPC portmap proxy integer overflow attempt TCP (protocol-rpc.rules)
 * 1:2413 <-> DISABLED <-> SERVER-OTHER ISAKMP delete hash with empty hash attempt (server-other.rules)
 * 1:2414 <-> DISABLED <-> SERVER-OTHER ISAKMP initial contact notification without SPI attempt (server-other.rules)
 * 1:2415 <-> DISABLED <-> SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt (server-other.rules)
 * 1:2583 <-> DISABLED <-> SERVER-OTHER CVS Max-dotdot integer overflow attempt (server-other.rules)
 * 1:303 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:2433 <-> DISABLED <-> SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt (server-webapp.rules)
 * 1:2922 <-> DISABLED <-> PROTOCOL-DNS TCP inverse query (protocol-dns.rules)
 * 1:2927 <-> DISABLED <-> OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt (os-windows.rules)
 * 1:314 <-> DISABLED <-> SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt (server-other.rules)
 * 1:2550 <-> DISABLED <-> FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt (file-other.rules)
 * 1:3089 <-> DISABLED <-> SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt (server-other.rules)
 * 1:3199 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP (os-windows.rules)
 * 1:3147 <-> ENABLED <-> PROTOCOL-TELNET login buffer overflow attempt (protocol-telnet.rules)
 * 1:3200 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP (os-windows.rules)
 * 1:3274 <-> ENABLED <-> PROTOCOL-TELNET login buffer non-evasive overflow attempt (protocol-telnet.rules)
 * 1:3078 <-> DISABLED <-> PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt (protocol-nntp.rules)
 * 1:3148 <-> DISABLED <-> OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt (os-windows.rules)
 * 1:3195 <-> DISABLED <-> OS-WINDOWS name query overflow attempt TCP (os-windows.rules)
 * 1:3196 <-> DISABLED <-> OS-WINDOWS name query overflow attempt UDP (os-windows.rules)
 * 1:2921 <-> DISABLED <-> PROTOCOL-DNS UDP inverse query (protocol-dns.rules)
 * 1:3085 <-> DISABLED <-> SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt (server-other.rules)
 * 1:497 <-> DISABLED <-> INDICATOR-COMPROMISE file copied ok (indicator-compromise.rules)
 * 1:962 <-> DISABLED <-> SERVER-OTHER Microsoft Frontpage shtml.exe access (server-other.rules)
 * 1:8701 <-> DISABLED <-> SERVER-WEBAPP IceCast header buffer overflow attempt (server-webapp.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49300 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:494 <-> DISABLED <-> INDICATOR-COMPROMISE command completed (indicator-compromise.rules)
 * 1:49573 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer mpeg width integer memory underflow attempt (file-multimedia.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49297 <-> DISABLED <-> FILE-OTHER IBM Lotus Notes LZH Attachment Viewer buffer overflow attempt (file-other.rules)
 * 1:49299 <-> DISABLED <-> FILE-OFFICE Microsoft Access arbitrary code execution attempt (file-office.rules)
 * 1:3813 <-> DISABLED <-> SERVER-WEBAPP awstats.pl configdir command execution attempt (server-webapp.rules)
 * 1:4145 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Trouble Shooter ActiveX object access (browser-plugins.rules)
 * 1:4645 <-> DISABLED <-> PROTOCOL-IMAP search format string attempt (protocol-imap.rules)
 * 1:47319 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds write attempt (file-pdf.rules)
 * 1:3672 <-> DISABLED <-> SERVER-MYSQL client overflow attempt (server-mysql.rules)
 * 1:3673 <-> DISABLED <-> OS-WINDOWS Microsoft SMS remote control client DoS overly long length attempt (os-windows.rules)
 * 1:3687 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT USERVAR information disclosure (protocol-telnet.rules)
 * 1:3688 <-> DISABLED <-> PROTOCOL-TELNET client ENV OPT VAR information disclosure (protocol-telnet.rules)
 * 1:3668 <-> DISABLED <-> SERVER-MYSQL client authentication bypass attempt (server-mysql.rules)
 * 1:3669 <-> DISABLED <-> SERVER-MYSQL protocol 41 secure client overflow attempt (server-mysql.rules)
 * 1:3670 <-> DISABLED <-> SERVER-MYSQL secure client overflow attempt (server-mysql.rules)
 * 1:3671 <-> DISABLED <-> SERVER-MYSQL protocol 41 client overflow attempt (server-mysql.rules)
 * 1:3550 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HTML http/https scheme hostname overflow attempt (browser-ie.rules)
 * 1:3657 <-> DISABLED <-> SERVER-ORACLE ctxsys.driload attempt (server-oracle.rules)
 * 1:3664 <-> DISABLED <-> SERVER-OTHER PPTP echo request buffer overflow attempt (server-other.rules)
 * 1:3667 <-> DISABLED <-> SERVER-MYSQL protocol 41 client authentication bypass attempt (server-mysql.rules)
 * 1:3398 <-> DISABLED <-> OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt (os-windows.rules)
 * 1:3409 <-> DISABLED <-> OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt (os-windows.rules)
 * 1:3470 <-> DISABLED <-> FILE-MULTIMEDIA RealNetworks RealPlayer VIDORV30 header length buffer overflow (file-multimedia.rules)
 * 1:1412 <-> DISABLED <-> PROTOCOL-SNMP public access tcp (protocol-snmp.rules)
 * 1:13974 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer XHTML element memory corruption attempt (browser-ie.rules)
 * 1:1409 <-> DISABLED <-> PROTOCOL-SNMP community string buffer overflow attempt (protocol-snmp.rules)
 * 1:1411 <-> DISABLED <-> PROTOCOL-SNMP public access udp (protocol-snmp.rules)
 * 3:50797 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2019-0870 attack attempt (protocol-scada.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)