Talos Rules 2019-10-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-multimedia, file-other, malware-cnc, malware-other, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-10-01 12:44:32 UTC

Snort Subscriber Rules Update

Date: 2019-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51682 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51681 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51672 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Moonshine outbound connection (malware-cnc.rules)
 * 1:51671 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51668 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51667 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51664 <-> DISABLED <-> SERVER-WEBAPP Cesanta Mongoose buffer overflow attempt (server-webapp.rules)
 * 1:51663 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Grace Media Player local file inclusion attempt (server-webapp.rules)
 * 1:51662 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMQP denial of service attempt (server-apache.rules)
 * 1:51661 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51660 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager cross site scripting attempt (server-webapp.rules)
 * 1:51659 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51658 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51657 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51656 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51655 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51654 <-> DISABLED <-> POLICY-OTHER InduSoft Web Studio MTCheckFileFunctionsTimeout remote code execution attempt (policy-other.rules)
 * 1:51683 <-> DISABLED <-> POLICY-OTHER Apache Solr DataImportHandler arbitrary dataConfig import attempt (policy-other.rules)
 * 3:51674 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51673 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51677 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51675 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51676 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51680 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51684 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0914 attack attempt (server-webapp.rules)
 * 3:51678 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51679 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:44375 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm (server-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code execution attempt (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:44374 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm (server-other.rules)
 * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules)
 * 1:1762 <-> DISABLED <-> SERVER-WEBAPP phf arbitrary command execution attempt (server-webapp.rules)

2019-10-01 12:44:32 UTC

Snort Subscriber Rules Update

Date: 2019-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51682 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51681 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51659 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51671 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51654 <-> DISABLED <-> POLICY-OTHER InduSoft Web Studio MTCheckFileFunctionsTimeout remote code execution attempt (policy-other.rules)
 * 1:51657 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51683 <-> DISABLED <-> POLICY-OTHER Apache Solr DataImportHandler arbitrary dataConfig import attempt (policy-other.rules)
 * 1:51658 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51663 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Grace Media Player local file inclusion attempt (server-webapp.rules)
 * 1:51667 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51656 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51668 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51664 <-> DISABLED <-> SERVER-WEBAPP Cesanta Mongoose buffer overflow attempt (server-webapp.rules)
 * 1:51655 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51672 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Moonshine outbound connection (malware-cnc.rules)
 * 1:51660 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager cross site scripting attempt (server-webapp.rules)
 * 1:51662 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMQP denial of service attempt (server-apache.rules)
 * 1:51661 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 3:51666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51678 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51673 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51675 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51676 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51684 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0914 attack attempt (server-webapp.rules)
 * 3:51677 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51679 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51680 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51674 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44375 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm (server-other.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules)
 * 1:1762 <-> DISABLED <-> SERVER-WEBAPP phf arbitrary command execution attempt (server-webapp.rules)
 * 1:44374 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm (server-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code execution attempt (server-other.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)

2019-10-01 12:44:32 UTC

Snort Subscriber Rules Update

Date: 2019-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51683 <-> DISABLED <-> POLICY-OTHER Apache Solr DataImportHandler arbitrary dataConfig import attempt (policy-other.rules)
 * 1:51668 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51682 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51654 <-> DISABLED <-> POLICY-OTHER InduSoft Web Studio MTCheckFileFunctionsTimeout remote code execution attempt (policy-other.rules)
 * 1:51660 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager cross site scripting attempt (server-webapp.rules)
 * 1:51664 <-> DISABLED <-> SERVER-WEBAPP Cesanta Mongoose buffer overflow attempt (server-webapp.rules)
 * 1:51659 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51662 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMQP denial of service attempt (server-apache.rules)
 * 1:51669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51657 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51656 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51658 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51663 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Grace Media Player local file inclusion attempt (server-webapp.rules)
 * 1:51672 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Moonshine outbound connection (malware-cnc.rules)
 * 1:51670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51661 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51681 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51671 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51655 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51667 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 3:51680 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51675 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51684 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0914 attack attempt (server-webapp.rules)
 * 3:51679 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51674 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51673 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51676 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51678 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51677 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:44375 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm (server-other.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code execution attempt (server-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:44374 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm (server-other.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:1762 <-> DISABLED <-> SERVER-WEBAPP phf arbitrary command execution attempt (server-webapp.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)

2019-10-01 12:44:32 UTC

Snort Subscriber Rules Update

Date: 2019-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51683 <-> DISABLED <-> POLICY-OTHER Apache Solr DataImportHandler arbitrary dataConfig import attempt (policy-other.rules)
 * 1:51664 <-> DISABLED <-> SERVER-WEBAPP Cesanta Mongoose buffer overflow attempt (server-webapp.rules)
 * 1:51667 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51668 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51662 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMQP denial of service attempt (server-apache.rules)
 * 1:51672 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Moonshine outbound connection (malware-cnc.rules)
 * 1:51671 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51658 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51660 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager cross site scripting attempt (server-webapp.rules)
 * 1:51661 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51659 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51657 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51655 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51681 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51682 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51656 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51663 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Grace Media Player local file inclusion attempt (server-webapp.rules)
 * 1:51654 <-> DISABLED <-> POLICY-OTHER InduSoft Web Studio MTCheckFileFunctionsTimeout remote code execution attempt (policy-other.rules)
 * 3:51674 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51679 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51676 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51678 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51673 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51680 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51675 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51684 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0914 attack attempt (server-webapp.rules)
 * 3:51677 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)

Modified Rules:


 * 1:44375 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm (server-other.rules)
 * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:44374 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm (server-other.rules)
 * 1:1762 <-> DISABLED <-> SERVER-WEBAPP phf arbitrary command execution attempt (server-webapp.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code execution attempt (server-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)

2019-10-01 12:44:32 UTC

Snort Subscriber Rules Update

Date: 2019-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51657 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51656 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51682 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (snort3-server-webapp.rules)
 * 1:51667 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (snort3-server-webapp.rules)
 * 1:51668 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (snort3-server-webapp.rules)
 * 1:51669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (snort3-server-webapp.rules)
 * 1:51670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51661 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (snort3-server-webapp.rules)
 * 1:51662 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMQP denial of service attempt (snort3-server-apache.rules)
 * 1:51663 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Grace Media Player local file inclusion attempt (snort3-server-webapp.rules)
 * 1:51664 <-> DISABLED <-> SERVER-WEBAPP Cesanta Mongoose buffer overflow attempt (snort3-server-webapp.rules)
 * 1:51658 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (snort3-server-webapp.rules)
 * 1:51655 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51660 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51659 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (snort3-server-webapp.rules)
 * 1:51681 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (snort3-server-webapp.rules)
 * 1:51654 <-> DISABLED <-> POLICY-OTHER InduSoft Web Studio MTCheckFileFunctionsTimeout remote code execution attempt (snort3-policy-other.rules)
 * 1:51683 <-> DISABLED <-> POLICY-OTHER Apache Solr DataImportHandler arbitrary dataConfig import attempt (snort3-policy-other.rules)
 * 1:51671 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:51672 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Moonshine outbound connection (snort3-malware-cnc.rules)

Modified Rules:


 * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (snort3-server-other.rules)
 * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (snort3-server-other.rules)
 * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (snort3-server-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (snort3-server-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (snort3-server-other.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (snort3-server-other.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (snort3-server-other.rules)
 * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (snort3-server-other.rules)
 * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (snort3-server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (snort3-server-other.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (snort3-server-other.rules)
 * 1:1762 <-> DISABLED <-> SERVER-WEBAPP phf arbitrary command execution attempt (snort3-server-webapp.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (snort3-server-other.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code execution attempt (snort3-server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (snort3-server-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (snort3-malware-cnc.rules)
 * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (snort3-server-other.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (snort3-server-other.rules)
 * 1:44374 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm (snort3-server-other.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)
 * 1:44375 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm (snort3-server-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (snort3-server-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (snort3-server-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (snort3-server-other.rules)

2019-10-01 12:44:32 UTC

Snort Subscriber Rules Update

Date: 2019-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51654 <-> DISABLED <-> POLICY-OTHER InduSoft Web Studio MTCheckFileFunctionsTimeout remote code execution attempt (policy-other.rules)
 * 1:51659 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51661 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51662 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMQP denial of service attempt (server-apache.rules)
 * 1:51667 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51668 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51658 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51663 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Grace Media Player local file inclusion attempt (server-webapp.rules)
 * 1:51683 <-> DISABLED <-> POLICY-OTHER Apache Solr DataImportHandler arbitrary dataConfig import attempt (policy-other.rules)
 * 1:51655 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51682 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51657 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51672 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Moonshine outbound connection (malware-cnc.rules)
 * 1:51660 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager cross site scripting attempt (server-webapp.rules)
 * 1:51664 <-> DISABLED <-> SERVER-WEBAPP Cesanta Mongoose buffer overflow attempt (server-webapp.rules)
 * 1:51670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51671 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51656 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51681 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 3:51675 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51679 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51678 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51684 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0914 attack attempt (server-webapp.rules)
 * 3:51673 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51676 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51674 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51677 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51680 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules)
 * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:1762 <-> DISABLED <-> SERVER-WEBAPP phf arbitrary command execution attempt (server-webapp.rules)
 * 1:44374 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:44375 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code execution attempt (server-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)

2019-10-01 12:44:32 UTC

Snort Subscriber Rules Update

Date: 2019-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51657 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51664 <-> DISABLED <-> SERVER-WEBAPP Cesanta Mongoose buffer overflow attempt (server-webapp.rules)
 * 1:51663 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin Grace Media Player local file inclusion attempt (server-webapp.rules)
 * 1:51667 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51660 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager cross site scripting attempt (server-webapp.rules)
 * 1:51670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51655 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51668 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51654 <-> DISABLED <-> POLICY-OTHER InduSoft Web Studio MTCheckFileFunctionsTimeout remote code execution attempt (policy-other.rules)
 * 1:51659 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51662 <-> DISABLED <-> SERVER-APACHE Apache Qpid AMQP denial of service attempt (server-apache.rules)
 * 1:51671 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Silence variant outbound connection detected (malware-cnc.rules)
 * 1:51681 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 1:51656 <-> DISABLED <-> SERVER-WEBAPP B-net Software cross site scripting attempt (server-webapp.rules)
 * 1:51661 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51658 <-> DISABLED <-> SERVER-WEBAPP Responsive FileManager directory traversal attempt (server-webapp.rules)
 * 1:51672 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Moonshine outbound connection (malware-cnc.rules)
 * 1:51669 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager download.php directory traversal attempt (server-webapp.rules)
 * 1:51683 <-> DISABLED <-> POLICY-OTHER Apache Solr DataImportHandler arbitrary dataConfig import attempt (policy-other.rules)
 * 1:51682 <-> DISABLED <-> SERVER-WEBAPP Apache Solr DataImportHandler arbitrary code execution attempt (server-webapp.rules)
 * 3:51680 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51679 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51665 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51676 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51684 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0914 attack attempt (server-webapp.rules)
 * 3:51677 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51674 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51666 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0913 attack attempt (file-other.rules)
 * 3:51678 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51673 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)
 * 3:51675 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0912 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:44375 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid signature algorithm (server-other.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:51522 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:36816 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 IAKERB outbound token detected (server-other.rules)
 * 1:47265 <-> ENABLED <-> MALWARE-CNC Win.Trojan.ICLoader outbound connection (malware-cnc.rules)
 * 1:36814 <-> DISABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt (server-other.rules)
 * 1:44740 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:1762 <-> DISABLED <-> SERVER-WEBAPP phf arbitrary command execution attempt (server-webapp.rules)
 * 1:44374 <-> DISABLED <-> SERVER-OTHER Open SSL 1.0.2 DoS attempt with an invalid hash algorithm (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:51526 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code execution attempt (server-other.rules)
 * 1:48121 <-> DISABLED <-> SERVER-OTHER LSIS wXP Denial of Service attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:44739 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:44741 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:36815 <-> ENABLED <-> SERVER-OTHER MIT Kerberos 5 SPNEGO incoming token detected (server-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:40845 <-> DISABLED <-> SERVER-OTHER OpenSSL Invalid CMS structure null pointer dereference attempt (server-other.rules)
 * 1:44742 <-> DISABLED <-> SERVER-OTHER Novell GroupWise HTTP interface arbitrary file retrieval attempt (server-other.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)