Talos Rules 2019-10-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-1060: A coding deficiency exists in MS XML that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51793 through 51794.

Microsoft Vulnerability CVE-2019-1238: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51791 through 51792.

Microsoft Vulnerability CVE-2019-1239: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51789 through 51790.

Microsoft Vulnerability CVE-2019-1307: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51787 through 51788.

Microsoft Vulnerability CVE-2019-1308: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51785 through 51786.

Microsoft Vulnerability CVE-2019-1333: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51741 through 51742.

Microsoft Vulnerability CVE-2019-1335: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51735 through 51736.

Microsoft Vulnerability CVE-2019-1341: A coding deficiency exists in Microsoft Windows Power Service that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51781 through 51782.

Microsoft Vulnerability CVE-2019-1362: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51739 through 51740.

Microsoft Vulnerability CVE-2019-1364: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51733 through 51734.

Microsoft Vulnerability CVE-2019-1366: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51783 through 51784.

Talos also has added and modified multiple rules in the browser-ie, file-other, file-pdf, indicator-compromise, indicator-scan, os-windows, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-10-08 16:55:20 UTC

Snort Subscriber Rules Update

Date: 2019-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51732 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51731 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51730 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51751 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51750 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51748 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51747 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51746 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51745 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51744 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51743 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51742 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DRDYNVC use after free attempt (os-windows.rules)
 * 1:51741 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt (indicator-compromise.rules)
 * 1:51740 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51739 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51736 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51735 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51754 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51753 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51752 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51757 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51756 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51755 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51758 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51759 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51763 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51762 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51785 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51784 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51783 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51782 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51781 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51780 <-> DISABLED <-> SERVER-IIS Microsoft IIS IDC ISAPI cross-site scripting attempt (server-iis.rules)
 * 1:51779 <-> DISABLED <-> SERVER-WEBAPP generic cross-site scripting attempt (server-webapp.rules)
 * 1:51778 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51777 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51776 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:51775 <-> DISABLED <-> SERVER-WEBAPP Gxlcms SQL injection attempt (server-webapp.rules)
 * 1:51774 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51773 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51772 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51771 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51770 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51769 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51768 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51766 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51765 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51794 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51793 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51792 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51791 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51790 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51789 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51788 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51787 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51786 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 3:51737 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)
 * 3:51738 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:24913 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:43435 <-> DISABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:24914 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)

2019-10-08 16:55:20 UTC

Snort Subscriber Rules Update

Date: 2019-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51781 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51730 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51731 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51732 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51735 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51736 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51740 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51741 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt (indicator-compromise.rules)
 * 1:51743 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51744 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51739 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51746 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51742 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DRDYNVC use after free attempt (os-windows.rules)
 * 1:51748 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51750 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51751 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51747 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51745 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51786 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51752 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51753 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51754 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51755 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51756 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51757 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51758 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51759 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51762 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51763 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51765 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51766 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51768 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51769 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51770 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51771 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51772 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51785 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51784 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51783 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51782 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51773 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51774 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51775 <-> DISABLED <-> SERVER-WEBAPP Gxlcms SQL injection attempt (server-webapp.rules)
 * 1:51776 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:51777 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51778 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51779 <-> DISABLED <-> SERVER-WEBAPP generic cross-site scripting attempt (server-webapp.rules)
 * 1:51794 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51793 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51792 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51791 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51790 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51789 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51788 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51787 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51780 <-> DISABLED <-> SERVER-IIS Microsoft IIS IDC ISAPI cross-site scripting attempt (server-iis.rules)
 * 3:51737 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)
 * 3:51738 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:43435 <-> DISABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt (server-webapp.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:24913 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:24914 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)

2019-10-08 16:55:20 UTC

Snort Subscriber Rules Update

Date: 2019-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51773 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51781 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51794 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51793 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51792 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51791 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51790 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51789 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51788 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51787 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51786 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51785 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51784 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51783 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51782 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51731 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51730 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51732 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51736 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51735 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51743 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51744 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51746 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51751 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51752 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51753 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51756 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51757 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51759 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51762 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51763 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51765 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51766 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51768 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51769 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51770 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51771 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51774 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51775 <-> DISABLED <-> SERVER-WEBAPP Gxlcms SQL injection attempt (server-webapp.rules)
 * 1:51776 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:51777 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51778 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51779 <-> DISABLED <-> SERVER-WEBAPP generic cross-site scripting attempt (server-webapp.rules)
 * 1:51740 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51742 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DRDYNVC use after free attempt (os-windows.rules)
 * 1:51741 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt (indicator-compromise.rules)
 * 1:51734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51739 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51780 <-> DISABLED <-> SERVER-IIS Microsoft IIS IDC ISAPI cross-site scripting attempt (server-iis.rules)
 * 1:51772 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51758 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51754 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51755 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51750 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51748 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51747 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51745 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 3:51738 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)
 * 3:51737 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:24913 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:43435 <-> DISABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:24914 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)

2019-10-08 16:55:20 UTC

Snort Subscriber Rules Update

Date: 2019-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51782 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51768 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51792 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51781 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51770 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51763 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51788 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51789 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51730 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51731 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51732 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51785 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51791 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51790 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51794 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51784 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51787 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51735 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51736 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51769 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51765 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51766 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51741 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt (indicator-compromise.rules)
 * 1:51742 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DRDYNVC use after free attempt (os-windows.rules)
 * 1:51779 <-> DISABLED <-> SERVER-WEBAPP generic cross-site scripting attempt (server-webapp.rules)
 * 1:51777 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51744 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51746 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51747 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51748 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51751 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51754 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51772 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51755 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51756 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51758 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51786 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51771 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51759 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51762 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51780 <-> DISABLED <-> SERVER-IIS Microsoft IIS IDC ISAPI cross-site scripting attempt (server-iis.rules)
 * 1:51734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51793 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51783 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51757 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51753 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51752 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51773 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51750 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51774 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51776 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:51745 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51775 <-> DISABLED <-> SERVER-WEBAPP Gxlcms SQL injection attempt (server-webapp.rules)
 * 1:51743 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51778 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51740 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51739 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 3:51737 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)
 * 3:51738 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:43435 <-> DISABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:24913 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:24914 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)

2019-10-08 16:55:20 UTC

Snort Subscriber Rules Update

Date: 2019-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (snort3-protocol-voip.rules)
 * 1:51789 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51782 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (snort3-os-windows.rules)
 * 1:51793 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (snort3-browser-ie.rules)
 * 1:51730 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (snort3-server-webapp.rules)
 * 1:51734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (snort3-os-windows.rules)
 * 1:51732 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (snort3-server-webapp.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules)
 * 1:51733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (snort3-os-windows.rules)
 * 1:51766 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (snort3-protocol-voip.rules)
 * 1:51786 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51759 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (snort3-protocol-voip.rules)
 * 1:51784 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51791 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51731 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (snort3-server-webapp.rules)
 * 1:51785 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51745 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (snort3-protocol-voip.rules)
 * 1:51778 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (snort3-file-other.rules)
 * 1:51748 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (snort3-protocol-voip.rules)
 * 1:51750 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (snort3-protocol-voip.rules)
 * 1:51752 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (snort3-protocol-voip.rules)
 * 1:51735 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51753 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (snort3-protocol-voip.rules)
 * 1:51770 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (snort3-protocol-voip.rules)
 * 1:51769 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (snort3-protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules)
 * 1:51762 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (snort3-protocol-voip.rules)
 * 1:51768 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (snort3-protocol-voip.rules)
 * 1:51781 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (snort3-os-windows.rules)
 * 1:51739 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:51736 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51754 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (snort3-protocol-voip.rules)
 * 1:51771 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (snort3-protocol-voip.rules)
 * 1:51773 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (snort3-protocol-voip.rules)
 * 1:51751 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (snort3-protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (snort3-protocol-voip.rules)
 * 1:51776 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (snort3-server-webapp.rules)
 * 1:51780 <-> DISABLED <-> SERVER-IIS Microsoft IIS IDC ISAPI cross-site scripting attempt (snort3-server-iis.rules)
 * 1:51744 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (snort3-protocol-voip.rules)
 * 1:51756 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (snort3-protocol-voip.rules)
 * 1:51757 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (snort3-protocol-voip.rules)
 * 1:51758 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (snort3-protocol-voip.rules)
 * 1:51779 <-> DISABLED <-> SERVER-WEBAPP generic cross-site scripting attempt (snort3-server-webapp.rules)
 * 1:51747 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (snort3-protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules)
 * 1:51755 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (snort3-protocol-voip.rules)
 * 1:51742 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DRDYNVC use after free attempt (snort3-os-windows.rules)
 * 1:51740 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:51741 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt (snort3-indicator-compromise.rules)
 * 1:51763 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (snort3-protocol-voip.rules)
 * 1:51787 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51746 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (snort3-protocol-voip.rules)
 * 1:51743 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (snort3-protocol-voip.rules)
 * 1:51788 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51792 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51790 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51794 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (snort3-browser-ie.rules)
 * 1:51783 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:51765 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (snort3-protocol-voip.rules)
 * 1:51772 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (snort3-protocol-voip.rules)
 * 1:51774 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (snort3-protocol-voip.rules)
 * 1:51777 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (snort3-file-other.rules)
 * 1:51775 <-> DISABLED <-> SERVER-WEBAPP Gxlcms SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (snort3-server-webapp.rules)
 * 1:43435 <-> DISABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt (snort3-server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (snort3-indicator-scan.rules)
 * 1:24913 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (snort3-server-webapp.rules)
 * 1:24914 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (snort3-server-webapp.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (snort3-server-webapp.rules)

2019-10-08 16:55:20 UTC

Snort Subscriber Rules Update

Date: 2019-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51782 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51746 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51780 <-> DISABLED <-> SERVER-IIS Microsoft IIS IDC ISAPI cross-site scripting attempt (server-iis.rules)
 * 1:51789 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51792 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51788 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51791 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51785 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51790 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51772 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51732 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51794 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51786 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51739 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51771 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51730 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51731 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51784 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51781 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51747 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51766 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51769 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51753 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51759 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51777 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51745 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51741 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt (indicator-compromise.rules)
 * 1:51750 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51776 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:51762 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51743 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51744 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51757 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51758 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51736 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51740 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51763 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51735 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51752 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51756 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51765 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51770 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51748 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51779 <-> DISABLED <-> SERVER-WEBAPP generic cross-site scripting attempt (server-webapp.rules)
 * 1:51754 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51755 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51793 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51783 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51768 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51775 <-> DISABLED <-> SERVER-WEBAPP Gxlcms SQL injection attempt (server-webapp.rules)
 * 1:51787 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51774 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51773 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51742 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DRDYNVC use after free attempt (os-windows.rules)
 * 1:51751 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51778 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 3:51738 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)
 * 3:51737 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:43435 <-> DISABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt (server-webapp.rules)
 * 1:24913 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:24914 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)

2019-10-08 16:55:20 UTC

Snort Subscriber Rules Update

Date: 2019-10-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51730 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51768 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51792 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51788 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51782 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 1:51773 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51790 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51787 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51794 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51785 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51784 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51731 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51736 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51759 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51732 <-> DISABLED <-> SERVER-WEBAPP OpenEMR directory traversal attempt (server-webapp.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51791 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript engine memory corruption attempt (browser-ie.rules)
 * 1:51789 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript engine memory corruption attempt (browser-ie.rules)
 * 1:51748 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51777 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51740 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51753 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51770 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request Max-Forwards header of zero attempt (protocol-voip.rules)
 * 1:51758 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Proxy-Require header value attempt (protocol-voip.rules)
 * 1:51757 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing Contact header field attempt (protocol-voip.rules)
 * 1:51763 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Authorization scheme attempt (protocol-voip.rules)
 * 1:51745 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request invalid Content-Length attempt (protocol-voip.rules)
 * 1:51754 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Require header value attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple content-length headers attempt (protocol-voip.rules)
 * 1:51750 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture failure to enclose name-addr URI in angle brackets attempt (protocol-voip.rules)
 * 1:51744 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51762 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture invalid Date header time zone attempt (protocol-voip.rules)
 * 1:51779 <-> DISABLED <-> SERVER-WEBAPP generic cross-site scripting attempt (server-webapp.rules)
 * 1:51755 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple SP separating request-line elements attempt (protocol-voip.rules)
 * 1:51793 <-> ENABLED <-> BROWSER-IE Microsoft Edge MSXML memory corruption attempt (browser-ie.rules)
 * 1:51783 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51786 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51780 <-> DISABLED <-> SERVER-IIS Microsoft IIS IDC ISAPI cross-site scripting attempt (server-iis.rules)
 * 1:51739 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:51772 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing Call-ID header attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51746 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown method with CSeq method mismatch attempt (protocol-voip.rules)
 * 1:51751 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture negative Content-Length attempt (protocol-voip.rules)
 * 1:51769 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown URI scheme in Contact field attempt (protocol-voip.rules)
 * 1:51771 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unknown Content-Type attempt (protocol-voip.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51747 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture unacceptable accept offering attempt (protocol-voip.rules)
 * 1:51743 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51741 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows Remote Desktop client heap spray attempt (indicator-compromise.rules)
 * 1:51765 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large CSeq header value attempt (protocol-voip.rules)
 * 1:51756 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Warning header value attempt (protocol-voip.rules)
 * 1:51735 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:51774 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly-large SIP response code attempt (protocol-voip.rules)
 * 1:51742 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DRDYNVC use after free attempt (os-windows.rules)
 * 1:51766 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture overly large Expires header value attempt (protocol-voip.rules)
 * 1:51733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k font file privilege escalation attempt (os-windows.rules)
 * 1:51776 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:51778 <-> DISABLED <-> FILE-OTHER Microsoft Windows dismHost.exe dll-load exploit attempt (file-other.rules)
 * 1:51775 <-> DISABLED <-> SERVER-WEBAPP Gxlcms SQL injection attempt (server-webapp.rules)
 * 1:51752 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture 200 OK response with broadcast in Via header attempt (protocol-voip.rules)
 * 1:51781 <-> DISABLED <-> OS-WINDOWS Microsoft Windows registry key deletion privilege escalation attempt (os-windows.rules)
 * 3:51737 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)
 * 3:51738 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0915 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:19559 <-> DISABLED <-> INDICATOR-SCAN SSH brute force login attempt (indicator-scan.rules)
 * 1:43435 <-> DISABLED <-> SERVER-WEBAPP Cisco Secure Access Control Server cross site scripting attempt (server-webapp.rules)
 * 1:24914 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:19826 <-> DISABLED <-> SERVER-WEBAPP HP Power Manager remote code execution attempt (server-webapp.rules)
 * 1:24913 <-> DISABLED <-> SERVER-WEBAPP HP OpenView NNM ovutil.dll getProxiedStorageAddress buffer overflow attempt (server-webapp.rules)