Talos Rules 2019-10-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-webkit, file-office, file-other, file-pdf, malware-cnc, malware-other, os-linux, os-windows, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules)
 * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)

Modified Rules:


 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules)
 * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules)
 * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules)
 * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)

Modified Rules:


 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules)
 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules)
 * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules)
 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules)
 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules)
 * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)

Modified Rules:


 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (snort3-malware-other.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (snort3-server-webapp.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (snort3-server-other.rules)
 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (snort3-server-webapp.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (snort3-server-webapp.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (snort3-server-other.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (snort3-os-linux.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (snort3-server-webapp.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (snort3-server-other.rules)
 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (snort3-server-other.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules)
 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (snort3-malware-cnc.rules)
 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (snort3-os-windows.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (snort3-server-other.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (snort3-file-pdf.rules)
 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (snort3-malware-other.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (snort3-browser-ie.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (snort3-file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (snort3-file-office.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (snort3-server-oracle.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (snort3-file-other.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (snort3-browser-ie.rules)

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules)
 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules)
 * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)

Modified Rules:


 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)

2019-10-29 15:03:29 UTC

Snort Subscriber Rules Update

Date: 2019-10-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52039 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52030 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52029 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound beacon attempt (malware-cnc.rules)
 * 1:52028 <-> DISABLED <-> SERVER-WEBAPP JavaServer Faces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:52035 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52022 <-> DISABLED <-> OS-LINUX Red Hat NetworkManager DHCP client command injection attempt (os-linux.rules)
 * 1:52040 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52026 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52041 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JP2 image stream parsing double free attempt (file-pdf.rules)
 * 1:52038 <-> DISABLED <-> SERVER-OTHER PostgreSQL SCRAM authentication stack buffer overflow attempt (server-other.rules)
 * 1:52027 <-> ENABLED <-> MALWARE-OTHER Xml.Phishing.Evernote outbound connection (malware-other.rules)
 * 1:52043 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52042 <-> DISABLED <-> SERVER-OTHER OpenSSL ECDH malformed Client Hello denial of service attempt (server-other.rules)
 * 1:52037 <-> ENABLED <-> SERVER-OTHER ZeroMQ libzmq stack-based buffer overflow attempt (server-other.rules)
 * 1:52031 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52033 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52044 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52034 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52045 <-> DISABLED <-> SERVER-WEBAPP VEGO Web Forum SQL injection attempt (server-webapp.rules)
 * 1:52032 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overwrite attempt (os-windows.rules)
 * 1:52036 <-> DISABLED <-> SERVER-OTHER Adobe ColdFusion JNBridge remote code execution attempt (server-other.rules)
 * 3:52049 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52025 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52023 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0923 attack attempt (server-webapp.rules)
 * 3:52051 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52048 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt (browser-webkit.rules)
 * 3:52024 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2019-0932 attack attempt (server-other.rules)
 * 3:52047 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)
 * 3:52050 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0937 attack attempt (file-other.rules)
 * 3:52046 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0934 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:50840 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:27921 <-> DISABLED <-> SERVER-ORACLE Oracle Endeca Server createDataStore remote command injection attempt (server-oracle.rules)
 * 1:50841 <-> DISABLED <-> FILE-OTHER TAR multiple antivirus evasion attempt (file-other.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:21943 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:49940 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:18300 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer FTP command injection attempt (browser-ie.rules)
 * 1:51961 <-> DISABLED <-> SERVER-WEBAPP Jenkins CLI arbitrary Java object deserialization attempt (server-webapp.rules)