Talos Rules 2019-11-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-multimedia, file-pdf, indicator-compromise, malware-other, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (indicator-compromise.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (server-other.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (protocol-voip.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 3:52097 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52098 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52095 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52096 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52083 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52086 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0944 attack attempt (policy-other.rules)
 * 3:52082 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)

Modified Rules:


 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (indicator-compromise.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (protocol-voip.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (server-other.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 3:52098 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52096 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52097 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52086 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0944 attack attempt (policy-other.rules)
 * 3:52095 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52082 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52083 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)

Modified Rules:


 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (indicator-compromise.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (protocol-voip.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (server-other.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 3:52098 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52086 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0944 attack attempt (policy-other.rules)
 * 3:52096 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52097 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52095 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52082 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52083 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)

Modified Rules:


 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (indicator-compromise.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (protocol-voip.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (server-other.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 3:52083 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52098 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52096 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52086 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0944 attack attempt (policy-other.rules)
 * 3:52082 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52097 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52095 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)

Modified Rules:


 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (indicator-compromise.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (protocol-voip.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (server-other.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 3:52096 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52098 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52086 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0944 attack attempt (policy-other.rules)
 * 3:52097 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52082 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52095 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52083 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)

Modified Rules:


 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (snort3-protocol-voip.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (snort3-protocol-voip.rules)
 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (snort3-indicator-compromise.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (snort3-protocol-voip.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (snort3-server-other.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (snort3-protocol-voip.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (snort3-server-other.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (snort3-protocol-voip.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (snort3-file-flash.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (snort3-protocol-voip.rules)
 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (snort3-browser-ie.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (snort3-server-other.rules)
 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (snort3-protocol-voip.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (snort3-file-flash.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (snort3-browser-ie.rules)
 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (snort3-protocol-voip.rules)

Modified Rules:


 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (snort3-malware-other.rules)
 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (snort3-protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (snort3-protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (snort3-protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (snort3-protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (snort3-protocol-voip.rules)

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (indicator-compromise.rules)
 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (protocol-voip.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (server-other.rules)
 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 3:52096 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52082 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52083 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52098 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52097 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52095 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52086 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0944 attack attempt (policy-other.rules)

Modified Rules:


 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)

2019-11-05 13:04:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52085 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52077 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52078 <-> DISABLED <-> SERVER-OTHER ISC BIND DHCP client DNAME resource record parsing denial of service attempt (server-other.rules)
 * 1:52073 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52090 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52081 <-> DISABLED <-> INDICATOR-COMPROMISE Responder poisoner service negotiation attack attempt (indicator-compromise.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52093 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large CSeq header value attempt (protocol-voip.rules)
 * 1:52072 <-> DISABLED <-> SERVER-OTHER Microsoft JET Database ExcelExtractString stack buffer overflow attempt (server-other.rules)
 * 1:52084 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine Map prototype memory corruption attempt (browser-ie.rules)
 * 1:52089 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52080 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52088 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier (protocol-voip.rules)
 * 1:52079 <-> DISABLED <-> FILE-FLASH Adobe Flash Player FLV Nellymoser audio codec stack overflow attempt (file-flash.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52092 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52094 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request overly large Warning header value attempt (protocol-voip.rules)
 * 3:52095 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52086 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0944 attack attempt (policy-other.rules)
 * 3:52096 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2019-0946 attack attempt (file-multimedia.rules)
 * 3:52082 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52083 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0945 attack attempt (file-image.rules)
 * 3:52098 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)
 * 3:52097 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0947 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:51509 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51760 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51767 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51504 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing CSeq header attempt (protocol-voip.rules)
 * 1:51761 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing From header field attempt (protocol-voip.rules)
 * 1:51749 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)
 * 1:51524 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51529 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Crysis malicious executable download attempt (malware-other.rules)
 * 1:51508 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture missing To header field attempt (protocol-voip.rules)
 * 1:51494 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture multiple Content-Length headers attempt (protocol-voip.rules)