Talos Rules 2019-10-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, file-office, file-other, file-pdf, os-mobile, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (policy-other.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (server-other.rules)
 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (server-other.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 3:51948 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0918 attack attempt (policy-other.rules)
 * 3:51949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51950 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51951 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51952 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (browser-firefox.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (browser-firefox.rules)
 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (browser-firefox.rules)
 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (browser-firefox.rules)
 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (server-other.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (server-other.rules)
 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (policy-other.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 3:51951 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51952 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51948 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0918 attack attempt (policy-other.rules)
 * 3:51950 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (browser-firefox.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (browser-firefox.rules)
 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (browser-firefox.rules)
 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (browser-firefox.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (server-other.rules)
 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (policy-other.rules)
 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (server-other.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 3:51948 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0918 attack attempt (policy-other.rules)
 * 3:51949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51950 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51951 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51952 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (browser-firefox.rules)
 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (browser-firefox.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (browser-firefox.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (browser-firefox.rules)

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (policy-other.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (server-other.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (server-other.rules)
 * 3:51948 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0918 attack attempt (policy-other.rules)
 * 3:51949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51950 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51951 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51952 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (browser-firefox.rules)
 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (browser-firefox.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (browser-firefox.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (browser-firefox.rules)
 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (server-other.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (server-other.rules)
 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (policy-other.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 3:51952 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51951 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51950 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51948 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0918 attack attempt (policy-other.rules)
 * 3:51949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (browser-firefox.rules)
 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (browser-firefox.rules)
 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (browser-firefox.rules)
 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (browser-firefox.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (snort3-file-office.rules)
 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (snort3-policy-other.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (snort3-file-office.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (snort3-os-mobile.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (snort3-server-other.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (snort3-file-office.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (snort3-file-office.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (snort3-file-office.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (snort3-file-office.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (snort3-os-mobile.rules)
 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (snort3-os-mobile.rules)
 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (snort3-os-mobile.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (snort3-server-other.rules)
 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (snort3-server-other.rules)
 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (snort3-server-other.rules)

Modified Rules:


 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (snort3-file-office.rules)
 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (snort3-browser-firefox.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (snort3-file-other.rules)
 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (snort3-file-office.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (snort3-browser-firefox.rules)
 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (snort3-browser-firefox.rules)
 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (snort3-browser-firefox.rules)

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (server-other.rules)
 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (policy-other.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (server-other.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 3:51948 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0918 attack attempt (policy-other.rules)
 * 3:51949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51950 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51951 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51952 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (browser-firefox.rules)
 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (browser-firefox.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (browser-firefox.rules)
 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (browser-firefox.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)
 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)

2019-10-22 12:18:46 UTC

Snort Subscriber Rules Update

Date: 2019-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51954 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51957 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51964 <-> DISABLED <-> SERVER-OTHER multiple products HTTP OPTIONS request buffer overflow attempt (server-other.rules)
 * 1:51962 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51960 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:51953 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51958 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51965 <-> DISABLED <-> SERVER-OTHER multiple products HTTP referer header buffer overflow attempt (server-other.rules)
 * 1:51947 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51955 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 1:51966 <-> DISABLED <-> POLICY-OTHER Microsoft Exchange Server PushSubscriptionRequest setup attempt (policy-other.rules)
 * 1:51946 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:51959 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF stack exhaustion denial of service attempt (file-office.rules)
 * 1:51963 <-> DISABLED <-> SERVER-OTHER multiple products HTTP GET request buffer overflow attempt (server-other.rules)
 * 1:51956 <-> ENABLED <-> OS-MOBILE Android WhatsApp malformed GIF double-free remote code execution attempt (os-mobile.rules)
 * 3:51951 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51950 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51952 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0920 attack attempt (file-pdf.rules)
 * 3:51949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0935 attack attempt (file-pdf.rules)
 * 3:51948 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0918 attack attempt (policy-other.rules)

Modified Rules:


 * 1:19303 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:16421 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:20583 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple location headers malicious redirect attempt (browser-firefox.rules)
 * 1:20584 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-type headers malicious redirect attempt (browser-firefox.rules)
 * 1:20586 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-disposition headers malicious redirect attempt (browser-firefox.rules)
 * 1:20585 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple content-length headers malicious redirect attempt (browser-firefox.rules)
 * 1:51093 <-> DISABLED <-> FILE-OTHER RAR archived executable attachment (file-other.rules)