Talos Rules 2019-08-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-identify, file-image, file-office, file-other, file-pdf, malware-cnc, malware-other, os-mobile, os-other, policy-other, protocol-other, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-20 12:01:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules)
 * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules)
 * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules)
 * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules)
 * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules)
 * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules)
 * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules)
 * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules)
 * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules)
 * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules)
 * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

Modified Rules:


 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules)
 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules)
 * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)

2019-08-20 12:01:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules)
 * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules)
 * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules)
 * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules)
 * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules)
 * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules)
 * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules)
 * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

Modified Rules:


 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules)
 * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules)
 * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules)
 * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)

2019-08-20 12:01:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules)
 * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules)
 * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules)
 * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules)
 * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules)
 * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules)
 * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules)
 * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules)
 * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules)
 * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules)
 * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

Modified Rules:


 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules)
 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules)
 * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)

2019-08-20 12:01:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules)
 * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules)
 * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules)
 * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules)
 * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules)
 * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules)
 * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules)
 * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules)
 * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules)
 * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules)
 * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

Modified Rules:


 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules)
 * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules)
 * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules)
 * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)

2019-08-20 12:01:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (snort3-server-other.rules)
 * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules)
 * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules)
 * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules)
 * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules)
 * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules)
 * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (snort3-server-other.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (snort3-protocol-voip.rules)
 * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules)
 * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (snort3-file-pdf.rules)
 * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules)
 * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (snort3-server-other.rules)
 * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (snort3-file-identify.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (snort3-file-other.rules)
 * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules)
 * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules)
 * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (snort3-file-pdf.rules)
 * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (snort3-os-mobile.rules)
 * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules)
 * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (snort3-server-webapp.rules)
 * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (snort3-protocol-voip.rules)
 * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules)
 * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (snort3-file-flash.rules)
 * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (snort3-server-webapp.rules)
 * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (snort3-server-other.rules)
 * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules)
 * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules)
 * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules)
 * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (snort3-server-webapp.rules)
 * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (snort3-server-webapp.rules)
 * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules)
 * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (snort3-malware-cnc.rules)
 * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (snort3-malware-other.rules)
 * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (snort3-policy-other.rules)
 * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (snort3-file-flash.rules)
 * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules)
 * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules)
 * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules)
 * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules)
 * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (snort3-file-other.rules)
 * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (snort3-file-office.rules)
 * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (snort3-protocol-other.rules)
 * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (snort3-os-mobile.rules)
 * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules)
 * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules)
 * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules)
 * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules)
 * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (snort3-file-image.rules)
 * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (snort3-file-other.rules)
 * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (snort3-malware-cnc.rules)
 * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (snort3-file-other.rules)
 * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (snort3-server-other.rules)
 * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (snort3-file-office.rules)

Modified Rules:


 * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules)
 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (snort3-file-identify.rules)
 * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules)
 * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (snort3-server-webapp.rules)
 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (snort3-file-identify.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (snort3-file-identify.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (snort3-file-identify.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (snort3-malware-cnc.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (snort3-server-apache.rules)
 * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (snort3-file-identify.rules)
 * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (snort3-file-identify.rules)
 * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (snort3-file-identify.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (snort3-file-office.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (snort3-file-office.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (snort3-server-other.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (snort3-file-identify.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (snort3-server-webapp.rules)
 * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (snort3-server-other.rules)

2019-08-20 12:01:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules)
 * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules)
 * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules)
 * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules)
 * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules)
 * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules)
 * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules)
 * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules)
 * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules)
 * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)

Modified Rules:


 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules)
 * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules)
 * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules)
 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)

2019-08-20 12:01:10 UTC

Snort Subscriber Rules Update

Date: 2019-08-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51083 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51073 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51082 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51074 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51125 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:51084 <-> DISABLED <-> FILE-PDF PDFParser trailer string buffer overflow attempt (file-pdf.rules)
 * 1:51117 <-> ENABLED <-> MALWARE-CNC Win.Coinminer.PCASTLE outbound connection (malware-cnc.rules)
 * 1:51076 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51126 <-> DISABLED <-> SERVER-OTHER ISC Bind libdns EDNS option handling denial of service attempt (server-other.rules)
 * 1:51087 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51119 <-> DISABLED <-> POLICY-OTHER GrandNode 4.4 arbitrary file download attempt (policy-other.rules)
 * 1:51072 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51089 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51130 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51116 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51078 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51132 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51129 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51090 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51070 <-> DISABLED <-> SERVER-OTHER Microsoft WINS Server remote memory corruption attempt (server-other.rules)
 * 1:51108 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51091 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51131 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51071 <-> DISABLED <-> SERVER-WEBAPP revolutionProducts FlexBB flexbb_lang_id cookie parameter SQL injection attempt (server-webapp.rules)
 * 1:51092 <-> DISABLED <-> FILE-IDENTIFY gzip compressed file over email detected (file-identify.rules)
 * 1:51114 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51077 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51086 <-> DISABLED <-> PROTOCOL-VOIP Digium Asterisk multiple malformed Accept headers denial of service attempt (protocol-voip.rules)
 * 1:51121 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51085 <-> DISABLED <-> SERVER-OTHER FreeRadius malformed service type field denial of service attempt (server-other.rules)
 * 1:51081 <-> DISABLED <-> FILE-FLASH Adobe Flash player memory corruption attempt (file-flash.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:51120 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51080 <-> DISABLED <-> SERVER-OTHER GoldenGate Monitoring Manager buffer overflow attempt (server-other.rules)
 * 1:51094 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51095 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51079 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt (file-office.rules)
 * 1:51113 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51110 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51109 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51133 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51096 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51097 <-> DISABLED <-> FILE-IMAGE Multiple products JBIG compressed TIFF buffer overflow attempt (file-image.rules)
 * 1:51098 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51099 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51100 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51135 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51134 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51128 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51101 <-> ENABLED <-> FILE-OTHER LibreOffice macro remote code execution attempt (file-other.rules)
 * 1:51102 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51075 <-> DISABLED <-> FILE-OTHER CA Products AV Engine CHM file handling denial of service attempt (file-other.rules)
 * 1:51103 <-> DISABLED <-> OS-MOBILE Microsoft Outlook for Android stored cross-site script attempt (os-mobile.rules)
 * 1:51104 <-> DISABLED <-> PROTOCOL-OTHER Eclipse MQTT Message Broker Topic denial of service attempt (protocol-other.rules)
 * 1:51105 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51106 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51107 <-> DISABLED <-> FILE-OTHER Zortam Mp3 Media Studio local buffer overflow attempt (file-other.rules)
 * 1:51088 <-> DISABLED <-> FILE-OFFICE Microsoft Office TIFF filter buffer overflow attempt (file-office.rules)
 * 1:51118 <-> ENABLED <-> MALWARE-OTHER Download of malicious PowerShell script (malware-other.rules)
 * 1:51137 <-> ENABLED <-> MALWARE-CNC edit Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51115 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51112 <-> ENABLED <-> MALWARE-CNC Win.Spyware.StrongPity outbound connection (malware-cnc.rules)
 * 1:51122 <-> DISABLED <-> SERVER-WEBAPP GrandNode 4.4 path traversal attempt (server-webapp.rules)
 * 1:51136 <-> ENABLED <-> MALWARE-CNC Andr.Spyware.SpyPhoneApp variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 3:51124 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51123 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0886 attack attempt (file-office.rules)
 * 3:51111 <-> ENABLED <-> OS-OTHER VxWorks TCP URG memory corruption attempt (os-other.rules)

Modified Rules:


 * 1:2423 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request (file-identify.rules)
 * 1:2420 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request (file-identify.rules)
 * 1:2422 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request (file-identify.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:9639 <-> DISABLED <-> FILE-IDENTIFY Microsoft Windows Address Book file magic detected (file-identify.rules)
 * 1:50768 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BONDUPDATER outbound DNS tunnel (malware-cnc.rules)
 * 1:2436 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows Audio wmf file download request (file-identify.rules)
 * 1:29799 <-> DISABLED <-> SERVER-WEBAPP CuteFlow pre-authenticated admin account creation attempt (server-webapp.rules)
 * 1:30515 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:2419 <-> ENABLED <-> FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request (file-identify.rules)
 * 1:46428 <-> DISABLED <-> SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt (server-apache.rules)
 * 1:3551 <-> ENABLED <-> FILE-IDENTIFY HTA file download request (file-identify.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:9845 <-> ENABLED <-> FILE-IDENTIFY M3U file magic detected (file-identify.rules)
 * 1:30514 <-> ENABLED <-> SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30517 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 1:30516 <-> ENABLED <-> SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt (server-other.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER Multiple Operating Systems invalid DHCP option attempt (os-other.rules)