Talos Rules 2019-09-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0787: A coding deficiency exists in Remote Desktop Protocol Client that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 51481.

Microsoft Vulnerability CVE-2019-0788: A coding deficiency exists in Remote Desktop Protocol Client that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51482 through 51483.

Microsoft Vulnerability CVE-2019-1214: A coding deficiency exists in Microsoft Windows Common Log File System (CLFS) driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51436 through 51437.

Microsoft Vulnerability CVE-2019-1215: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51445 through 51446.

Microsoft Vulnerability CVE-2019-1216: A coding deficiency exists in DirectX that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51449 through 51450.

Microsoft Vulnerability CVE-2019-1219: A coding deficiency exists in Microsoft Windows Common Log File System (CLFS) driver that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51451 through 51452.

Microsoft Vulnerability CVE-2019-1256: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51463 through 51464.

Microsoft Vulnerability CVE-2019-1257: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51474 through 51475.

Microsoft Vulnerability CVE-2019-1284: A coding deficiency exists in DirectX that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51456 through 51457.

Microsoft Vulnerability CVE-2019-1285: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51454 through 51455.

Microsoft Vulnerability CVE-2019-1295: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 51438.

Microsoft Vulnerability CVE-2019-1296: A coding deficiency exists in Microsoft SharePoint that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51479 through 51480.

Talos also has added and modified multiple rules in the browser-chrome, browser-firefox, browser-ie, file-executable, file-image, file-office, file-other, malware-backdoor, os-windows, policy-other, protocol-dns, protocol-other, protocol-scada, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-09-10 17:02:28 UTC

Snort Subscriber Rules Update

Date: 2019-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51443 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51442 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51441 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51440 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51438 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint BdcAdminService remote code execution attempt (server-webapp.rules)
 * 1:51437 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51436 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51435 <-> DISABLED <-> MALWARE-BACKDOOR blazer5 runtime detection (malware-backdoor.rules)
 * 1:51446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51444 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51451 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51450 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51449 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51453 <-> DISABLED <-> SERVER-WEBAPP Pulse Secure Connect VPN post-auth hc.cgi buffer overflow attempt (server-webapp.rules)
 * 1:51452 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51456 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51455 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51454 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51458 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51457 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51459 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51482 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt (os-windows.rules)
 * 1:51480 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51479 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51478 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51477 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51476 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51474 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51473 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51472 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51470 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51469 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51468 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51467 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51466 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51465 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51464 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51463 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51460 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:51483 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 3:51461 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51462 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51447 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51448 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)

Modified Rules:


 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:6110 <-> DISABLED <-> MALWARE-BACKDOOR forced entry v1.1 beta runtime detection (malware-backdoor.rules)
 * 1:51265 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:51264 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:1002 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:147 <-> DISABLED <-> MALWARE-BACKDOOR GateCrasher (malware-backdoor.rules)
 * 1:208 <-> DISABLED <-> MALWARE-BACKDOOR PhaseZero Server Active on Network (malware-backdoor.rules)
 * 1:3017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS overflow attempt (os-windows.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:3463 <-> DISABLED <-> SERVER-WEBAPP awstats access (server-webapp.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:7107 <-> DISABLED <-> MALWARE-BACKDOOR girlfriend runtime detection (malware-backdoor.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)

2019-09-10 17:02:28 UTC

Snort Subscriber Rules Update

Date: 2019-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51482 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51483 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51435 <-> DISABLED <-> MALWARE-BACKDOOR blazer5 runtime detection (malware-backdoor.rules)
 * 1:51436 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51437 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51438 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint BdcAdminService remote code execution attempt (server-webapp.rules)
 * 1:51439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51440 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51441 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51442 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51443 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51444 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51449 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51450 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51451 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51452 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51453 <-> DISABLED <-> SERVER-WEBAPP Pulse Secure Connect VPN post-auth hc.cgi buffer overflow attempt (server-webapp.rules)
 * 1:51454 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51455 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51456 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51457 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51458 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51459 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51460 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:51463 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51464 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51465 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51466 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51467 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51468 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51469 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51470 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51472 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51473 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51474 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51476 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51477 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51478 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51479 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt (os-windows.rules)
 * 1:51480 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 3:51461 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51462 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51447 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51448 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)

Modified Rules:


 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:51265 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:7107 <-> DISABLED <-> MALWARE-BACKDOOR girlfriend runtime detection (malware-backdoor.rules)
 * 1:51264 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:1002 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:147 <-> DISABLED <-> MALWARE-BACKDOOR GateCrasher (malware-backdoor.rules)
 * 1:208 <-> DISABLED <-> MALWARE-BACKDOOR PhaseZero Server Active on Network (malware-backdoor.rules)
 * 1:3017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS overflow attempt (os-windows.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:3463 <-> DISABLED <-> SERVER-WEBAPP awstats access (server-webapp.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:6110 <-> DISABLED <-> MALWARE-BACKDOOR forced entry v1.1 beta runtime detection (malware-backdoor.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)

2019-09-10 17:02:28 UTC

Snort Subscriber Rules Update

Date: 2019-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51435 <-> DISABLED <-> MALWARE-BACKDOOR blazer5 runtime detection (malware-backdoor.rules)
 * 1:51478 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51466 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51480 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51472 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51436 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51438 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint BdcAdminService remote code execution attempt (server-webapp.rules)
 * 1:51441 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51449 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51458 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51465 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51464 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt (os-windows.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51476 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51477 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51479 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51470 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51473 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51474 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51463 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51467 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51468 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51469 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51456 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51457 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51459 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51460 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:51452 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51453 <-> DISABLED <-> SERVER-WEBAPP Pulse Secure Connect VPN post-auth hc.cgi buffer overflow attempt (server-webapp.rules)
 * 1:51454 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51455 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51450 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51451 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51440 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51442 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51443 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51444 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51437 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51483 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51482 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 3:51461 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51462 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51448 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51447 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)

Modified Rules:


 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:6110 <-> DISABLED <-> MALWARE-BACKDOOR forced entry v1.1 beta runtime detection (malware-backdoor.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:51265 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:7107 <-> DISABLED <-> MALWARE-BACKDOOR girlfriend runtime detection (malware-backdoor.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:51264 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:1002 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:147 <-> DISABLED <-> MALWARE-BACKDOOR GateCrasher (malware-backdoor.rules)
 * 1:208 <-> DISABLED <-> MALWARE-BACKDOOR PhaseZero Server Active on Network (malware-backdoor.rules)
 * 1:3017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS overflow attempt (os-windows.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:3463 <-> DISABLED <-> SERVER-WEBAPP awstats access (server-webapp.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)

2019-09-10 17:02:28 UTC

Snort Subscriber Rules Update

Date: 2019-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51465 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51440 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51452 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51464 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51457 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51450 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51466 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51482 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51449 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51472 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51467 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51474 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51473 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51468 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51463 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51470 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51469 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51478 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51442 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51441 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51437 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51483 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51438 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint BdcAdminService remote code execution attempt (server-webapp.rules)
 * 1:51439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51451 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51458 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51453 <-> DISABLED <-> SERVER-WEBAPP Pulse Secure Connect VPN post-auth hc.cgi buffer overflow attempt (server-webapp.rules)
 * 1:51460 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:51459 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51443 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51454 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51444 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51455 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51456 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt (os-windows.rules)
 * 1:51479 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51480 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51476 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51436 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51477 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51435 <-> DISABLED <-> MALWARE-BACKDOOR blazer5 runtime detection (malware-backdoor.rules)
 * 3:51461 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51447 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51448 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51462 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)

Modified Rules:


 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:6110 <-> DISABLED <-> MALWARE-BACKDOOR forced entry v1.1 beta runtime detection (malware-backdoor.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
 * 1:51265 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:7107 <-> DISABLED <-> MALWARE-BACKDOOR girlfriend runtime detection (malware-backdoor.rules)
 * 1:1002 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:147 <-> DISABLED <-> MALWARE-BACKDOOR GateCrasher (malware-backdoor.rules)
 * 1:208 <-> DISABLED <-> MALWARE-BACKDOOR PhaseZero Server Active on Network (malware-backdoor.rules)
 * 1:3017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS overflow attempt (os-windows.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:3463 <-> DISABLED <-> SERVER-WEBAPP awstats access (server-webapp.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:51264 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)

2019-09-10 17:02:28 UTC

Snort Subscriber Rules Update

Date: 2019-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51453 <-> DISABLED <-> SERVER-WEBAPP Pulse Secure Connect VPN post-auth hc.cgi buffer overflow attempt (snort3-server-webapp.rules)
 * 1:51444 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (snort3-server-webapp.rules)
 * 1:51473 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (snort3-file-office.rules)
 * 1:51474 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (snort3-file-other.rules)
 * 1:51439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (snort3-browser-firefox.rules)
 * 1:51467 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51457 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (snort3-os-windows.rules)
 * 1:51458 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (snort3-browser-ie.rules)
 * 1:51460 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (snort3-server-other.rules)
 * 1:51456 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (snort3-os-windows.rules)
 * 1:51463 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (snort3-os-windows.rules)
 * 1:51435 <-> DISABLED <-> MALWARE-BACKDOOR blazer5 runtime detection (snort3-malware-backdoor.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (snort3-file-other.rules)
 * 1:51438 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint BdcAdminService remote code execution attempt (snort3-server-webapp.rules)
 * 1:51454 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (snort3-os-windows.rules)
 * 1:51459 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (snort3-browser-ie.rules)
 * 1:51437 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (snort3-os-windows.rules)
 * 1:51470 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51483 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (snort3-file-executable.rules)
 * 1:51442 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (snort3-server-webapp.rules)
 * 1:51441 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (snort3-server-webapp.rules)
 * 1:51465 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51436 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (snort3-os-windows.rules)
 * 1:51443 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (snort3-server-webapp.rules)
 * 1:51455 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (snort3-os-windows.rules)
 * 1:51450 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (snort3-os-windows.rules)
 * 1:51446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51451 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (snort3-os-windows.rules)
 * 1:51452 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (snort3-os-windows.rules)
 * 1:51479 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (snort3-file-other.rules)
 * 1:51466 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51440 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (snort3-browser-firefox.rules)
 * 1:51478 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (snort3-server-other.rules)
 * 1:51469 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51472 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (snort3-file-office.rules)
 * 1:51449 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (snort3-os-windows.rules)
 * 1:51477 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (snort3-server-other.rules)
 * 1:51468 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51464 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (snort3-os-windows.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (snort3-policy-other.rules)
 * 1:51480 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (snort3-file-other.rules)
 * 1:51481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt (snort3-os-windows.rules)
 * 1:51482 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (snort3-file-executable.rules)
 * 1:51476 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (snort3-server-other.rules)

Modified Rules:


 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (snort3-browser-chrome.rules)
 * 1:51265 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51264 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (snort3-server-webapp.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (snort3-protocol-scada.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (snort3-malware-backdoor.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (snort3-malware-backdoor.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (snort3-protocol-scada.rules)
 * 1:7107 <-> DISABLED <-> MALWARE-BACKDOOR girlfriend runtime detection (snort3-malware-backdoor.rules)
 * 1:1002 <-> DISABLED <-> SERVER-IIS cmd.exe access (snort3-server-iis.rules)
 * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (snort3-server-webapp.rules)
 * 1:147 <-> DISABLED <-> MALWARE-BACKDOOR GateCrasher (snort3-malware-backdoor.rules)
 * 1:208 <-> DISABLED <-> MALWARE-BACKDOOR PhaseZero Server Active on Network (snort3-malware-backdoor.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (snort3-protocol-scada.rules)
 * 1:3017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS overflow attempt (snort3-os-windows.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (snort3-server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (snort3-protocol-dns.rules)
 * 1:6110 <-> DISABLED <-> MALWARE-BACKDOOR forced entry v1.1 beta runtime detection (snort3-malware-backdoor.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (snort3-protocol-scada.rules)
 * 1:3463 <-> DISABLED <-> SERVER-WEBAPP awstats access (snort3-server-webapp.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (snort3-protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (snort3-protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (snort3-protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (snort3-protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (snort3-protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (snort3-protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (snort3-protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (snort3-protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (snort3-protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (snort3-protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (snort3-protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (snort3-protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (snort3-protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (snort3-protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (snort3-protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (snort3-protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (snort3-protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (snort3-protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (snort3-protocol-scada.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (snort3-protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (snort3-protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (snort3-protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (snort3-protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (snort3-protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (snort3-protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (snort3-protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (snort3-protocol-scada.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (snort3-browser-chrome.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (snort3-protocol-other.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (snort3-protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (snort3-protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (snort3-protocol-scada.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (snort3-policy-other.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (snort3-protocol-scada.rules)

2019-09-10 17:02:28 UTC

Snort Subscriber Rules Update

Date: 2019-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51468 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51480 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51467 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51440 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51465 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51443 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51479 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51474 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51476 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51477 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51472 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51470 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51450 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51435 <-> DISABLED <-> MALWARE-BACKDOOR blazer5 runtime detection (malware-backdoor.rules)
 * 1:51466 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51473 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51442 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51463 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51444 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51449 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51438 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint BdcAdminService remote code execution attempt (server-webapp.rules)
 * 1:51464 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51436 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51437 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51452 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51453 <-> DISABLED <-> SERVER-WEBAPP Pulse Secure Connect VPN post-auth hc.cgi buffer overflow attempt (server-webapp.rules)
 * 1:51459 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51469 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51478 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt (os-windows.rules)
 * 1:51483 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51441 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51454 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51455 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51456 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51457 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51458 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51460 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:51451 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51482 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 3:51448 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51461 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51447 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51462 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)

Modified Rules:


 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:6110 <-> DISABLED <-> MALWARE-BACKDOOR forced entry v1.1 beta runtime detection (malware-backdoor.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
 * 1:1002 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:147 <-> DISABLED <-> MALWARE-BACKDOOR GateCrasher (malware-backdoor.rules)
 * 1:51264 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:208 <-> DISABLED <-> MALWARE-BACKDOOR PhaseZero Server Active on Network (malware-backdoor.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:3017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS overflow attempt (os-windows.rules)
 * 1:7107 <-> DISABLED <-> MALWARE-BACKDOOR girlfriend runtime detection (malware-backdoor.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:3463 <-> DISABLED <-> SERVER-WEBAPP awstats access (server-webapp.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:51265 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)

2019-09-10 17:02:28 UTC

Snort Subscriber Rules Update

Date: 2019-09-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51436 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51435 <-> DISABLED <-> MALWARE-BACKDOOR blazer5 runtime detection (malware-backdoor.rules)
 * 1:51444 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51443 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51437 <-> ENABLED <-> OS-WINDOWS Microsoft Windows common log file system driver escalation of privilege attempt (os-windows.rules)
 * 1:51479 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51440 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Custom Elements write-after-free attempt (browser-firefox.rules)
 * 1:51449 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51467 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51451 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51476 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51477 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51463 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51460 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51456 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51474 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51455 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51457 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdi32 graphics adapter handling null pointer dereference attempt (os-windows.rules)
 * 1:51442 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51466 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51470 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51473 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51450 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel memory information leak attempt (os-windows.rules)
 * 1:51438 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint BdcAdminService remote code execution attempt (server-webapp.rules)
 * 1:51441 <-> DISABLED <-> SERVER-WEBAPP Laquis SCADA Nome command injection attempt (server-webapp.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:51483 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51482 <-> ENABLED <-> FILE-EXECUTABLE Windows Microsoft Remote Desktop Services remote code execution attempt (file-executable.rules)
 * 1:51458 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51468 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51472 <-> DISABLED <-> FILE-OFFICE Microsoft Windows WordPad and Office text converter integer overflow attempt (file-office.rules)
 * 1:51464 <-> ENABLED <-> OS-WINDOWS Microsoft Windows elevation of privilege attempt (os-windows.rules)
 * 1:51478 <-> DISABLED <-> SERVER-OTHER NFS server /etc/passwd symlink creation attempt (server-other.rules)
 * 1:51480 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint remote code execution attempt (file-other.rules)
 * 1:51454 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k kernel information leak attempt (os-windows.rules)
 * 1:51465 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51469 <-> DISABLED <-> SERVER-WEBAPP Fortigate SSL VPN cross site scripting attempt (server-webapp.rules)
 * 1:51452 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Common Log File information disclosure attempt (os-windows.rules)
 * 1:51459 <-> ENABLED <-> BROWSER-IE Microsoft Edge print function information disclosure attempt (browser-ie.rules)
 * 1:51453 <-> DISABLED <-> SERVER-WEBAPP Pulse Secure Connect VPN post-auth hc.cgi buffer overflow attempt (server-webapp.rules)
 * 3:51447 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51462 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)
 * 3:51448 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0891 attack attempt (file-image.rules)
 * 3:51461 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0890 attack attempt (file-other.rules)

Modified Rules:


 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:51265 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:51264 <-> DISABLED <-> SERVER-WEBAPP Open-AudIT Community Store cross site scripting attempt (server-webapp.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:1002 <-> DISABLED <-> SERVER-IIS cmd.exe access (server-iis.rules)
 * 1:1122 <-> DISABLED <-> SERVER-WEBAPP /etc/passwd file access attempt (server-webapp.rules)
 * 1:7107 <-> DISABLED <-> MALWARE-BACKDOOR girlfriend runtime detection (malware-backdoor.rules)
 * 1:147 <-> DISABLED <-> MALWARE-BACKDOOR GateCrasher (malware-backdoor.rules)
 * 1:208 <-> DISABLED <-> MALWARE-BACKDOOR PhaseZero Server Active on Network (malware-backdoor.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:3017 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WINS overflow attempt (os-windows.rules)
 * 1:32381 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS SRTP extension parsing denial-of-service attempt (server-other.rules)
 * 1:33583 <-> DISABLED <-> PROTOCOL-DNS ISC BIND recursive resolver resource consumption denial of service attempt (protocol-dns.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:3463 <-> DISABLED <-> SERVER-WEBAPP awstats access (server-webapp.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:6110 <-> DISABLED <-> MALWARE-BACKDOOR forced entry v1.1 beta runtime detection (malware-backdoor.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)