Talos Rules 2019-08-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-image, file-multimedia, file-other, file-pdf, malware-cnc, malware-other, os-windows, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-01 12:24:03 UTC

Snort Subscriber Rules Update

Date: 2019-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50839 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50838 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50837 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50836 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50835 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50834 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50833 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50832 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50831 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50830 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50829 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50828 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50846 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50849 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50848 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50847 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50856 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50850 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50853 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50852 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50851 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50855 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50854 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:50863 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50862 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50861 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN remote code execution attempt (server-webapp.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:50859 <-> DISABLED <-> SERVER-MAIL Postfix IPv6 Relaying Security Issue (server-mail.rules)
 * 1:50858 <-> ENABLED <-> SERVER-WEBAPP Siemens TIA Administrator authentication bypass attempt (server-webapp.rules)
 * 3:50869 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50867 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50868 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50865 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50866 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50864 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50844 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50845 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50842 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50843 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)

Modified Rules:


 * 1:8487 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access (server-other.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:8489 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access (server-other.rules)
 * 1:8488 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access (server-other.rules)
 * 1:906 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getfile.cfm access (server-other.rules)
 * 1:905 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:1374 <-> DISABLED <-> SERVER-WEBAPP .htgroup access (server-webapp.rules)
 * 1:1659 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sendmail.cfm access (server-other.rules)
 * 1:903 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfcache.map access (server-other.rules)
 * 1:8493 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access (server-other.rules)
 * 1:8492 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion openfile.cfm access (server-other.rules)
 * 1:8491 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion eval.cfm access (server-other.rules)
 * 1:8490 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion viewexample.cfm access (server-other.rules)
 * 1:907 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion addcontent.cfm access (server-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:908 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion administrator access (server-other.rules)
 * 1:1880 <-> DISABLED <-> SERVER-WEBAPP oracle web application server access (server-webapp.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (server-other.rules)
 * 1:21754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response (os-windows.rules)
 * 1:25627 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound connection (malware-cnc.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:909 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource username attempt (server-other.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:918 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion expeval access (server-other.rules)
 * 1:917 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion db connections flush attempt (server-other.rules)
 * 1:916 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcdsn access (server-other.rules)
 * 1:915 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion evaluate.cfm access (server-other.rules)
 * 1:914 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion beaninfo access (server-other.rules)
 * 1:913 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfappman access (server-other.rules)
 * 1:912 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion parks access (server-other.rules)
 * 1:8486 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access (server-other.rules)
 * 1:7896 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:8485 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access (server-other.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:911 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exprcalc access (server-other.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:1540 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt (server-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:910 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion fileexists.cfm access (server-other.rules)
 * 1:935 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion startstop DOS access (server-other.rules)
 * 1:933 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion onrequestend.cfm access (server-other.rules)
 * 1:932 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:931 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access (server-other.rules)
 * 1:930 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion snippets attempt (server-other.rules)
 * 1:929 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access (server-other.rules)
 * 1:928 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp access (server-other.rules)
 * 1:927 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion settings refresh attempt (server-other.rules)
 * 1:926 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion set odbc ini attempt (server-other.rules)
 * 1:925 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion mainframeset access (server-other.rules)
 * 1:924 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin decrypt attempt (server-other.rules)
 * 1:923 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcin attempt (server-other.rules)
 * 1:922 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion displayfile access (server-other.rules)
 * 1:921 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin encrypt attempt (server-other.rules)
 * 1:920 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource attempt (server-other.rules)
 * 1:919 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource passwordattempt (server-other.rules)
 * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access (server-webapp.rules)
 * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules)
 * 1:936 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access  (server-other.rules)
 * 1:904 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp application.cfm (server-other.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)

2019-08-01 12:24:03 UTC

Snort Subscriber Rules Update

Date: 2019-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50828 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50829 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50862 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50863 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:50861 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN remote code execution attempt (server-webapp.rules)
 * 1:50858 <-> ENABLED <-> SERVER-WEBAPP Siemens TIA Administrator authentication bypass attempt (server-webapp.rules)
 * 1:50859 <-> DISABLED <-> SERVER-MAIL Postfix IPv6 Relaying Security Issue (server-mail.rules)
 * 1:50855 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50856 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50853 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50854 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:50851 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50852 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50849 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50850 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50847 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50848 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50846 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50839 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50837 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50838 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50835 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50836 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50833 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50834 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50831 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50832 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50830 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 3:50867 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50842 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50869 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50844 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50845 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50865 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50866 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50843 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50864 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50868 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)

Modified Rules:


 * 1:8490 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion viewexample.cfm access (server-other.rules)
 * 1:8489 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access (server-other.rules)
 * 1:8488 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access (server-other.rules)
 * 1:903 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfcache.map access (server-other.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:8491 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion eval.cfm access (server-other.rules)
 * 1:904 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp application.cfm (server-other.rules)
 * 1:8493 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access (server-other.rules)
 * 1:927 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion settings refresh attempt (server-other.rules)
 * 1:932 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:923 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcin attempt (server-other.rules)
 * 1:924 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin decrypt attempt (server-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:8492 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion openfile.cfm access (server-other.rules)
 * 1:906 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getfile.cfm access (server-other.rules)
 * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access (server-webapp.rules)
 * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules)
 * 1:926 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion set odbc ini attempt (server-other.rules)
 * 1:907 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion addcontent.cfm access (server-other.rules)
 * 1:908 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion administrator access (server-other.rules)
 * 1:909 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource username attempt (server-other.rules)
 * 1:910 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion fileexists.cfm access (server-other.rules)
 * 1:911 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exprcalc access (server-other.rules)
 * 1:912 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion parks access (server-other.rules)
 * 1:7896 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:8485 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access (server-other.rules)
 * 1:8486 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access (server-other.rules)
 * 1:8487 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access (server-other.rules)
 * 1:913 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfappman access (server-other.rules)
 * 1:914 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion beaninfo access (server-other.rules)
 * 1:915 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion evaluate.cfm access (server-other.rules)
 * 1:916 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcdsn access (server-other.rules)
 * 1:917 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion db connections flush attempt (server-other.rules)
 * 1:918 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion expeval access (server-other.rules)
 * 1:919 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource passwordattempt (server-other.rules)
 * 1:920 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource attempt (server-other.rules)
 * 1:921 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin encrypt attempt (server-other.rules)
 * 1:922 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion displayfile access (server-other.rules)
 * 1:905 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:931 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access (server-other.rules)
 * 1:936 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access  (server-other.rules)
 * 1:935 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion startstop DOS access (server-other.rules)
 * 1:933 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion onrequestend.cfm access (server-other.rules)
 * 1:929 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access (server-other.rules)
 * 1:930 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion snippets attempt (server-other.rules)
 * 1:925 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion mainframeset access (server-other.rules)
 * 1:928 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp access (server-other.rules)
 * 1:1374 <-> DISABLED <-> SERVER-WEBAPP .htgroup access (server-webapp.rules)
 * 1:1659 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sendmail.cfm access (server-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:1880 <-> DISABLED <-> SERVER-WEBAPP oracle web application server access (server-webapp.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (server-other.rules)
 * 1:21754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response (os-windows.rules)
 * 1:25627 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound connection (malware-cnc.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:1540 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt (server-other.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)

2019-08-01 12:24:03 UTC

Snort Subscriber Rules Update

Date: 2019-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50854 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:50835 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50828 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50829 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50839 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50831 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50832 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50834 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50836 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50846 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50847 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50848 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50849 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50837 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50850 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50855 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50856 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50858 <-> ENABLED <-> SERVER-WEBAPP Siemens TIA Administrator authentication bypass attempt (server-webapp.rules)
 * 1:50859 <-> DISABLED <-> SERVER-MAIL Postfix IPv6 Relaying Security Issue (server-mail.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:50861 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN remote code execution attempt (server-webapp.rules)
 * 1:50862 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50863 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50838 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50830 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50851 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50833 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50853 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50852 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 3:50869 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50865 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50844 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50845 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50866 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50864 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50867 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50868 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50842 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50843 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)

Modified Rules:


 * 1:928 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp access (server-other.rules)
 * 1:8492 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion openfile.cfm access (server-other.rules)
 * 1:8491 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion eval.cfm access (server-other.rules)
 * 1:927 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion settings refresh attempt (server-other.rules)
 * 1:8490 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion viewexample.cfm access (server-other.rules)
 * 1:8489 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access (server-other.rules)
 * 1:903 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfcache.map access (server-other.rules)
 * 1:904 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp application.cfm (server-other.rules)
 * 1:8488 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access (server-other.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules)
 * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access (server-webapp.rules)
 * 1:1374 <-> DISABLED <-> SERVER-WEBAPP .htgroup access (server-webapp.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:1659 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sendmail.cfm access (server-other.rules)
 * 1:908 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion administrator access (server-other.rules)
 * 1:930 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion snippets attempt (server-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:907 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion addcontent.cfm access (server-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:910 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion fileexists.cfm access (server-other.rules)
 * 1:1880 <-> DISABLED <-> SERVER-WEBAPP oracle web application server access (server-webapp.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (server-other.rules)
 * 1:911 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exprcalc access (server-other.rules)
 * 1:21754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response (os-windows.rules)
 * 1:25627 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound connection (malware-cnc.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:912 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion parks access (server-other.rules)
 * 1:933 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion onrequestend.cfm access (server-other.rules)
 * 1:932 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:931 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access (server-other.rules)
 * 1:929 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access (server-other.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:906 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getfile.cfm access (server-other.rules)
 * 1:8486 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access (server-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:8487 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access (server-other.rules)
 * 1:913 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfappman access (server-other.rules)
 * 1:914 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion beaninfo access (server-other.rules)
 * 1:905 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:936 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access  (server-other.rules)
 * 1:935 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion startstop DOS access (server-other.rules)
 * 1:8493 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access (server-other.rules)
 * 1:909 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource username attempt (server-other.rules)
 * 1:1540 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt (server-other.rules)
 * 1:915 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion evaluate.cfm access (server-other.rules)
 * 1:916 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcdsn access (server-other.rules)
 * 1:917 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion db connections flush attempt (server-other.rules)
 * 1:918 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion expeval access (server-other.rules)
 * 1:919 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource passwordattempt (server-other.rules)
 * 1:920 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource attempt (server-other.rules)
 * 1:921 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin encrypt attempt (server-other.rules)
 * 1:922 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion displayfile access (server-other.rules)
 * 1:923 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcin attempt (server-other.rules)
 * 1:924 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin decrypt attempt (server-other.rules)
 * 1:925 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion mainframeset access (server-other.rules)
 * 1:8485 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access (server-other.rules)
 * 1:7896 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:926 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion set odbc ini attempt (server-other.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)

2019-08-01 12:24:03 UTC

Snort Subscriber Rules Update

Date: 2019-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50847 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50861 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN remote code execution attempt (server-webapp.rules)
 * 1:50833 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50832 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50828 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50838 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:50846 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50851 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50836 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50837 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50852 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50859 <-> DISABLED <-> SERVER-MAIL Postfix IPv6 Relaying Security Issue (server-mail.rules)
 * 1:50835 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50849 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50858 <-> ENABLED <-> SERVER-WEBAPP Siemens TIA Administrator authentication bypass attempt (server-webapp.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50848 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50853 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50855 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50856 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50854 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:50839 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50830 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50862 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50831 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50863 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50829 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50834 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50850 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 3:50865 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50844 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50869 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50845 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50866 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50843 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50864 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50868 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50867 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50842 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)

Modified Rules:


 * 1:928 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp access (server-other.rules)
 * 1:8491 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion eval.cfm access (server-other.rules)
 * 1:8489 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access (server-other.rules)
 * 1:8490 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion viewexample.cfm access (server-other.rules)
 * 1:904 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp application.cfm (server-other.rules)
 * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules)
 * 1:903 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfcache.map access (server-other.rules)
 * 1:8492 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion openfile.cfm access (server-other.rules)
 * 1:8486 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access (server-other.rules)
 * 1:8488 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access (server-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:933 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion onrequestend.cfm access (server-other.rules)
 * 1:1374 <-> DISABLED <-> SERVER-WEBAPP .htgroup access (server-webapp.rules)
 * 1:927 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion settings refresh attempt (server-other.rules)
 * 1:930 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion snippets attempt (server-other.rules)
 * 1:931 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access (server-other.rules)
 * 1:935 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion startstop DOS access (server-other.rules)
 * 1:1659 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sendmail.cfm access (server-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access (server-webapp.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:8487 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access (server-other.rules)
 * 1:906 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getfile.cfm access (server-other.rules)
 * 1:936 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access  (server-other.rules)
 * 1:1880 <-> DISABLED <-> SERVER-WEBAPP oracle web application server access (server-webapp.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (server-other.rules)
 * 1:21754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response (os-windows.rules)
 * 1:25627 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound connection (malware-cnc.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:905 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:912 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion parks access (server-other.rules)
 * 1:932 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:929 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access (server-other.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:8493 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access (server-other.rules)
 * 1:909 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource username attempt (server-other.rules)
 * 1:907 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion addcontent.cfm access (server-other.rules)
 * 1:908 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion administrator access (server-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:911 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exprcalc access (server-other.rules)
 * 1:926 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion set odbc ini attempt (server-other.rules)
 * 1:7896 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:8485 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access (server-other.rules)
 * 1:910 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion fileexists.cfm access (server-other.rules)
 * 1:913 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfappman access (server-other.rules)
 * 1:914 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion beaninfo access (server-other.rules)
 * 1:915 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion evaluate.cfm access (server-other.rules)
 * 1:916 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcdsn access (server-other.rules)
 * 1:917 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion db connections flush attempt (server-other.rules)
 * 1:918 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion expeval access (server-other.rules)
 * 1:919 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource passwordattempt (server-other.rules)
 * 1:920 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource attempt (server-other.rules)
 * 1:921 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin encrypt attempt (server-other.rules)
 * 1:922 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion displayfile access (server-other.rules)
 * 1:923 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcin attempt (server-other.rules)
 * 1:1540 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt (server-other.rules)
 * 1:924 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin decrypt attempt (server-other.rules)
 * 1:925 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion mainframeset access (server-other.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)

2019-08-01 12:24:03 UTC

Snort Subscriber Rules Update

Date: 2019-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50828 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)
 * 1:50830 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (snort3-server-other.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50834 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50832 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50846 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:50849 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (snort3-file-other.rules)
 * 1:50839 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50836 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50853 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (snort3-file-other.rules)
 * 1:50829 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)
 * 1:50851 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (snort3-malware-other.rules)
 * 1:50847 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:50859 <-> DISABLED <-> SERVER-MAIL Postfix IPv6 Relaying Security Issue (snort3-server-mail.rules)
 * 1:50856 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:50848 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (snort3-file-other.rules)
 * 1:50835 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50861 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN remote code execution attempt (snort3-server-webapp.rules)
 * 1:50855 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:50862 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (snort3-file-pdf.rules)
 * 1:50838 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (snort3-server-webapp.rules)
 * 1:50863 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (snort3-file-pdf.rules)
 * 1:50852 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (snort3-file-other.rules)
 * 1:50833 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50850 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (snort3-malware-other.rules)
 * 1:50854 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:50858 <-> ENABLED <-> SERVER-WEBAPP Siemens TIA Administrator authentication bypass attempt (snort3-server-webapp.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50837 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:50831 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (snort3-server-other.rules)

Modified Rules:


 * 1:8493 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access (snort3-server-other.rules)
 * 1:904 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp application.cfm (snort3-server-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules)
 * 1:8492 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion openfile.cfm access (snort3-server-other.rules)
 * 1:903 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfcache.map access (snort3-server-other.rules)
 * 1:8490 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion viewexample.cfm access (snort3-server-other.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (snort3-server-other.rules)
 * 1:907 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion addcontent.cfm access (snort3-server-other.rules)
 * 1:906 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getfile.cfm access (snort3-server-other.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules)
 * 1:910 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion fileexists.cfm access (snort3-server-other.rules)
 * 1:1540 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt (snort3-server-other.rules)
 * 1:8491 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion eval.cfm access (snort3-server-other.rules)
 * 1:935 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion startstop DOS access (snort3-server-other.rules)
 * 1:909 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource username attempt (snort3-server-other.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (snort3-browser-ie.rules)
 * 1:936 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access  (snort3-server-other.rules)
 * 1:8487 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access (snort3-server-other.rules)
 * 1:933 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion onrequestend.cfm access (snort3-server-other.rules)
 * 1:21754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response (snort3-os-windows.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)
 * 1:1880 <-> DISABLED <-> SERVER-WEBAPP oracle web application server access (snort3-server-webapp.rules)
 * 1:25627 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound connection (snort3-malware-cnc.rules)
 * 1:8486 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access (snort3-server-other.rules)
 * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (snort3-server-webapp.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (snort3-browser-ie.rules)
 * 1:1659 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sendmail.cfm access (snort3-server-other.rules)
 * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access (snort3-server-webapp.rules)
 * 1:1374 <-> DISABLED <-> SERVER-WEBAPP .htgroup access (snort3-server-webapp.rules)
 * 1:912 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion parks access (snort3-server-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (snort3-os-windows.rules)
 * 1:905 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (snort3-server-other.rules)
 * 1:908 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion administrator access (snort3-server-other.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:7896 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:8485 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access (snort3-server-other.rules)
 * 1:932 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (snort3-server-other.rules)
 * 1:913 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfappman access (snort3-server-other.rules)
 * 1:914 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion beaninfo access (snort3-server-other.rules)
 * 1:8488 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access (snort3-server-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (snort3-file-other.rules)
 * 1:915 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion evaluate.cfm access (snort3-server-other.rules)
 * 1:916 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcdsn access (snort3-server-other.rules)
 * 1:917 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion db connections flush attempt (snort3-server-other.rules)
 * 1:911 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exprcalc access (snort3-server-other.rules)
 * 1:918 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion expeval access (snort3-server-other.rules)
 * 1:919 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource passwordattempt (snort3-server-other.rules)
 * 1:920 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource attempt (snort3-server-other.rules)
 * 1:921 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin encrypt attempt (snort3-server-other.rules)
 * 1:922 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion displayfile access (snort3-server-other.rules)
 * 1:923 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcin attempt (snort3-server-other.rules)
 * 1:924 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin decrypt attempt (snort3-server-other.rules)
 * 1:925 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion mainframeset access (snort3-server-other.rules)
 * 1:926 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion set odbc ini attempt (snort3-server-other.rules)
 * 1:927 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion settings refresh attempt (snort3-server-other.rules)
 * 1:928 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp access (snort3-server-other.rules)
 * 1:929 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access (snort3-server-other.rules)
 * 1:930 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion snippets attempt (snort3-server-other.rules)
 * 1:8489 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access (snort3-server-other.rules)
 * 1:931 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access (snort3-server-other.rules)

2019-08-01 12:24:03 UTC

Snort Subscriber Rules Update

Date: 2019-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:50861 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN remote code execution attempt (server-webapp.rules)
 * 1:50854 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:50829 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50833 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50834 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50851 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50849 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50852 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50853 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50847 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50830 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50839 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50832 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50848 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50846 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50828 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50850 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50837 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50858 <-> ENABLED <-> SERVER-WEBAPP Siemens TIA Administrator authentication bypass attempt (server-webapp.rules)
 * 1:50859 <-> DISABLED <-> SERVER-MAIL Postfix IPv6 Relaying Security Issue (server-mail.rules)
 * 1:50863 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50862 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50856 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50855 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50835 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50838 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50836 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50831 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 3:50867 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50869 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50845 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50866 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50842 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50868 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50844 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50865 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50864 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50843 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)

Modified Rules:


 * 1:8492 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion openfile.cfm access (server-other.rules)
 * 1:903 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfcache.map access (server-other.rules)
 * 1:933 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion onrequestend.cfm access (server-other.rules)
 * 1:935 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion startstop DOS access (server-other.rules)
 * 1:8489 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access (server-other.rules)
 * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules)
 * 1:8491 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion eval.cfm access (server-other.rules)
 * 1:922 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion displayfile access (server-other.rules)
 * 1:8488 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access (server-other.rules)
 * 1:1374 <-> DISABLED <-> SERVER-WEBAPP .htgroup access (server-webapp.rules)
 * 1:905 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:926 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion set odbc ini attempt (server-other.rules)
 * 1:925 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion mainframeset access (server-other.rules)
 * 1:923 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcin attempt (server-other.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:931 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access (server-other.rules)
 * 1:8486 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access (server-other.rules)
 * 1:932 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:927 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion settings refresh attempt (server-other.rules)
 * 1:936 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access  (server-other.rules)
 * 1:928 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp access (server-other.rules)
 * 1:929 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access (server-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:911 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exprcalc access (server-other.rules)
 * 1:1659 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sendmail.cfm access (server-other.rules)
 * 1:924 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin decrypt attempt (server-other.rules)
 * 1:907 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion addcontent.cfm access (server-other.rules)
 * 1:930 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion snippets attempt (server-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:8490 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion viewexample.cfm access (server-other.rules)
 * 1:912 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion parks access (server-other.rules)
 * 1:920 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource attempt (server-other.rules)
 * 1:7896 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:8485 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access (server-other.rules)
 * 1:1880 <-> DISABLED <-> SERVER-WEBAPP oracle web application server access (server-webapp.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (server-other.rules)
 * 1:21754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response (os-windows.rules)
 * 1:904 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp application.cfm (server-other.rules)
 * 1:25627 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound connection (malware-cnc.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:906 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getfile.cfm access (server-other.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access (server-webapp.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:909 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource username attempt (server-other.rules)
 * 1:1540 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt (server-other.rules)
 * 1:921 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin encrypt attempt (server-other.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:8487 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access (server-other.rules)
 * 1:913 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfappman access (server-other.rules)
 * 1:914 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion beaninfo access (server-other.rules)
 * 1:915 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion evaluate.cfm access (server-other.rules)
 * 1:916 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcdsn access (server-other.rules)
 * 1:917 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion db connections flush attempt (server-other.rules)
 * 1:918 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion expeval access (server-other.rules)
 * 1:919 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource passwordattempt (server-other.rules)
 * 1:910 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion fileexists.cfm access (server-other.rules)
 * 1:908 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion administrator access (server-other.rules)
 * 1:8493 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access (server-other.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)

2019-08-01 12:24:03 UTC

Snort Subscriber Rules Update

Date: 2019-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50852 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50855 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50834 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50859 <-> DISABLED <-> SERVER-MAIL Postfix IPv6 Relaying Security Issue (server-mail.rules)
 * 1:50839 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50854 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:50861 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN remote code execution attempt (server-webapp.rules)
 * 1:50846 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50862 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50831 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50828 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50848 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50830 <-> DISABLED <-> SERVER-OTHER ISC DHCP command injection attempt (server-other.rules)
 * 1:50853 <-> DISABLED <-> FILE-OTHER Apple DMG ffs_mountfs integer overflow exploit attempt (file-other.rules)
 * 1:50838 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50849 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap obfuscated font attempt (file-other.rules)
 * 1:50856 <-> DISABLED <-> BROWSER-PLUGINS AOL.YGPPicEdit ActiveX clsid access (browser-plugins.rules)
 * 1:50829 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:50833 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50858 <-> ENABLED <-> SERVER-WEBAPP Siemens TIA Administrator authentication bypass attempt (server-webapp.rules)
 * 1:50832 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50850 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 1:50863 <-> DISABLED <-> FILE-PDF Soda PDF denial of service attempt (file-pdf.rules)
 * 1:50837 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:50835 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50836 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50847 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50851 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.EvilGnome variant download attempt (malware-other.rules)
 * 3:50844 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50845 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50866 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50842 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50868 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50857 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0877 attack attempt (server-other.rules)
 * 3:50864 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50867 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)
 * 3:50843 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0878 attack attempt (file-image.rules)
 * 3:50869 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0881 attack attempt (file-image.rules)
 * 3:50865 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0880 attack attempt (file-image.rules)

Modified Rules:


 * 1:935 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion startstop DOS access (server-other.rules)
 * 1:909 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource username attempt (server-other.rules)
 * 1:903 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfcache.map access (server-other.rules)
 * 1:905 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:8489 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_DELETE access (server-other.rules)
 * 1:928 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp access (server-other.rules)
 * 1:8491 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion eval.cfm access (server-other.rules)
 * 1:1129 <-> DISABLED <-> SERVER-WEBAPP .htaccess access (server-webapp.rules)
 * 1:927 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion settings refresh attempt (server-other.rules)
 * 1:8490 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion viewexample.cfm access (server-other.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:8492 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion openfile.cfm access (server-other.rules)
 * 1:1374 <-> DISABLED <-> SERVER-WEBAPP .htgroup access (server-webapp.rules)
 * 1:908 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion administrator access (server-other.rules)
 * 1:932 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion application.cfm access (server-other.rules)
 * 1:8486 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALREGISTRY access (server-other.rules)
 * 1:936 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access  (server-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:1659 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sendmail.cfm access (server-other.rules)
 * 1:8487 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_SET access (server-other.rules)
 * 1:49423 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:933 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion onrequestend.cfm access (server-other.rules)
 * 1:910 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion fileexists.cfm access (server-other.rules)
 * 1:8493 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion sourcewindow.cfm access (server-other.rules)
 * 1:1880 <-> DISABLED <-> SERVER-WEBAPP oracle web application server access (server-webapp.rules)
 * 1:906 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getfile.cfm access (server-other.rules)
 * 1:926 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion set odbc ini attempt (server-other.rules)
 * 1:8485 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFNEWINTERNALADMINSECURITY access (server-other.rules)
 * 1:7896 <-> DISABLED <-> BROWSER-PLUGINS AOL.PicEditCtrl ActiveX clsid access (browser-plugins.rules)
 * 1:21663 <-> DISABLED <-> SERVER-OTHER CA BrightStor Agent for Microsoft SQL overflow attempt (server-other.rules)
 * 1:912 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion parks access (server-other.rules)
 * 1:21754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MSXML2 ActiveX malformed HTTP response (os-windows.rules)
 * 1:930 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion snippets attempt (server-other.rules)
 * 1:931 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access (server-other.rules)
 * 1:25627 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Reventon variant outbound connection (malware-cnc.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:50769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.QUADAGENT outbound DNS tunnel (malware-cnc.rules)
 * 1:904 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exampleapp application.cfm (server-other.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:911 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion exprcalc access (server-other.rules)
 * 1:49421 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:8488 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFADMIN_REGISTRY_GET access (server-other.rules)
 * 1:1071 <-> DISABLED <-> SERVER-WEBAPP .htpasswd access (server-webapp.rules)
 * 1:913 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion cfappman access (server-other.rules)
 * 1:49422 <-> DISABLED <-> FILE-OTHER Microsoft Windows TrueType font parsing engine sfac_GetSbitBitmap elevation of privileges attempt (file-other.rules)
 * 1:1540 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt (server-other.rules)
 * 1:914 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion beaninfo access (server-other.rules)
 * 1:929 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access (server-other.rules)
 * 1:907 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion addcontent.cfm access (server-other.rules)
 * 1:915 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion evaluate.cfm access (server-other.rules)
 * 1:916 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcdsn access (server-other.rules)
 * 1:917 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion db connections flush attempt (server-other.rules)
 * 1:918 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion expeval access (server-other.rules)
 * 1:919 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource passwordattempt (server-other.rules)
 * 1:920 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion datasource attempt (server-other.rules)
 * 1:921 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin encrypt attempt (server-other.rules)
 * 1:922 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion displayfile access (server-other.rules)
 * 1:923 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion getodbcin attempt (server-other.rules)
 * 1:924 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion admin decrypt attempt (server-other.rules)
 * 1:925 <-> DISABLED <-> SERVER-OTHER Adobe Coldfusion mainframeset access (server-other.rules)
 * 3:15920 <-> ENABLED <-> FILE-MULTIMEDIA Microsoft mp3 malformed APIC header RCE attempt (file-multimedia.rules)