Talos Rules 2019-08-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-office, indicator-scan, malware-cnc, malware-other, os-other, os-windows, protocol-dns, protocol-telnet, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-29 20:00:24 UTC

Snort Subscriber Rules Update

Date: 2019-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules)
 * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules)
 * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules)
 * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules)
 * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules)
 * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules)
 * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules)
 * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules)
 * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules)
 * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules)
 * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules)
 * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)

2019-08-29 20:00:24 UTC

Snort Subscriber Rules Update

Date: 2019-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules)
 * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules)
 * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules)
 * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules)
 * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules)
 * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules)
 * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules)
 * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules)
 * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules)
 * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules)
 * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules)
 * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules)
 * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
 * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)
 * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
 * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)

2019-08-29 20:00:24 UTC

Snort Subscriber Rules Update

Date: 2019-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules)
 * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules)
 * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules)
 * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules)
 * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules)
 * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules)
 * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules)
 * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules)
 * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules)
 * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules)
 * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules)
 * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules)
 * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
 * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules)
 * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)

2019-08-29 20:00:24 UTC

Snort Subscriber Rules Update

Date: 2019-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules)
 * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules)
 * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules)
 * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules)
 * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules)
 * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules)
 * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules)
 * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules)
 * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules)
 * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules)
 * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules)
 * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules)
 * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules)
 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)

2019-08-29 20:00:24 UTC

Snort Subscriber Rules Update

Date: 2019-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules)
 * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (snort3-file-office.rules)
 * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules)
 * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (snort3-malware-other.rules)
 * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (snort3-malware-cnc.rules)
 * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules)
 * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules)
 * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (snort3-malware-other.rules)
 * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules)
 * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules)
 * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (snort3-file-office.rules)
 * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (snort3-file-office.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (snort3-malware-other.rules)
 * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (snort3-malware-cnc.rules)
 * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules)
 * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules)
 * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (snort3-protocol-telnet.rules)
 * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (snort3-malware-cnc.rules)
 * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (snort3-server-other.rules)
 * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (snort3-browser-ie.rules)
 * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules)
 * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules)
 * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (snort3-server-other.rules)
 * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules)
 * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (snort3-file-office.rules)
 * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (snort3-os-other.rules)
 * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules)
 * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules)
 * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules)
 * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (snort3-file-office.rules)
 * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (snort3-malware-cnc.rules)
 * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (snort3-server-webapp.rules)
 * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (snort3-browser-ie.rules)
 * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (snort3-server-other.rules)
 * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (snort3-file-office.rules)
 * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules)
 * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules)
 * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules)
 * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules)
 * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (snort3-server-other.rules)
 * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules)
 * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (snort3-file-office.rules)
 * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (snort3-server-other.rules)
 * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules)
 * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (snort3-indicator-scan.rules)
 * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (snort3-server-webapp.rules)
 * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (snort3-malware-cnc.rules)
 * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (snort3-malware-cnc.rules)
 * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules)
 * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (snort3-server-other.rules)
 * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules)
 * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules)
 * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (snort3-server-other.rules)
 * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (snort3-server-other.rules)

Modified Rules:


 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (snort3-file-office.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (snort3-server-other.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (snort3-file-office.rules)
 * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (snort3-server-iis.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (snort3-server-other.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (snort3-file-office.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (snort3-server-other.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (snort3-file-office.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (snort3-malware-cnc.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (snort3-server-other.rules)
 * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (snort3-server-other.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (snort3-server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (snort3-protocol-dns.rules)
 * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (snort3-server-webapp.rules)
 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (snort3-server-other.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (snort3-server-iis.rules)

2019-08-29 20:00:24 UTC

Snort Subscriber Rules Update

Date: 2019-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules)
 * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules)
 * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules)
 * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules)
 * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules)
 * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules)
 * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules)
 * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules)
 * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules)
 * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules)
 * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)
 * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
 * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)

2019-08-29 20:00:24 UTC

Snort Subscriber Rules Update

Date: 2019-08-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51230 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51314 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51313 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid FRTWrapper record integer underflow attempt (file-office.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51350 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51312 <-> DISABLED <-> SERVER-WEBAPP WSO2 Carbon persistent cross site scripting attempt (server-webapp.rules)
 * 1:51316 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51227 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51348 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (malware-other.rules)
 * 1:51228 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51341 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51364 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51356 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51352 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51231 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51346 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51321 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51322 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51325 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51320 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackMoon variant outbound connection (malware-cnc.rules)
 * 1:51354 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51326 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel DBQueryExt record memory corruption attempt (file-office.rules)
 * 1:51329 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51324 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51328 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51323 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server information disclosure attempt (server-webapp.rules)
 * 1:51359 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51357 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51351 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51233 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51342 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Nemty (malware-cnc.rules)
 * 1:51309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pistacchietto variant outbound connection (malware-cnc.rules)
 * 1:51362 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51315 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51345 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51327 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51330 <-> DISABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:51360 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.LooCipher variant outbound connection (malware-cnc.rules)
 * 1:51317 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51361 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.LooCipher variant download attempt (malware-other.rules)
 * 1:51333 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51334 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS record tampering denial of service attempt (server-other.rules)
 * 1:51335 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51336 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine uninitialized pointers memory corruption attempt (browser-ie.rules)
 * 1:51318 <-> DISABLED <-> SERVER-WEBAPP Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt (server-webapp.rules)
 * 1:51319 <-> DISABLED <-> SERVER-OTHER Mosca MQTT broker regular expression denial of service attempt (server-other.rules)
 * 1:51349 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51358 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS duplicate record denial of service attempt (server-other.rules)
 * 1:51353 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii client session ticket (server-other.rules)
 * 1:51232 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 1:51347 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous ascii session ticket (server-other.rules)
 * 1:51343 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51344 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello (server-other.rules)
 * 1:51340 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt (server-webapp.rules)
 * 1:51338 <-> DISABLED <-> PROTOCOL-TELNET TippingPoint IPS hostname disclosure attempt (protocol-telnet.rules)
 * 1:51339 <-> DISABLED <-> INDICATOR-SCAN Trend Micro Threat Discovery Appliance logon.cgi authentication attempt (indicator-scan.rules)
 * 1:51337 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Extenbro (malware-cnc.rules)
 * 1:51363 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt (file-office.rules)
 * 1:51229 <-> DISABLED <-> SERVER-OTHER FreeRADIUS DHCP string options integer underflow attempt (server-other.rules)
 * 3:51355 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE REST API information disclosure attempt (server-webapp.rules)
 * 3:51366 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51332 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51367 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51365 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS Software NX-API denial of service attempt (server-webapp.rules)
 * 3:51331 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0888 attack attempt (server-webapp.rules)
 * 3:51369 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:17440 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:51288 <-> ENABLED <-> SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt (server-webapp.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:17705 <-> DISABLED <-> SERVER-IIS RSA Authentication Agent chunked HTTP request buffer overflow attempt (server-iis.rules)
 * 1:45745 <-> DISABLED <-> SERVER-OTHER CloudMe Sync Client stack buffer overflow attempt (server-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:27239 <-> DISABLED <-> SERVER-OTHER IPMI default username - USERID (server-other.rules)
 * 1:27240 <-> DISABLED <-> SERVER-OTHER multiple vendors IPMI RAKP username brute force attempt (server-other.rules)
 * 1:27238 <-> DISABLED <-> SERVER-OTHER IPMI default username - admin (server-other.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:27237 <-> DISABLED <-> SERVER-OTHER IPMI default username - root (server-other.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook HTML acronym tag memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 3:15148 <-> ENABLED <-> SERVER-OTHER Microsoft SMS remote control client message length denial of service attempt (server-other.rules)