Talos Rules 2019-11-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-webkit, file-image, file-office, file-pdf, malware-other, os-mobile, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)
 * 3:37506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36223 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36222 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36211 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:37505 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36210 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 3:36223 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36210 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36222 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:37505 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:37506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36211 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 3:36210 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36222 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36211 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36223 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:37506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:37505 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 3:36210 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36223 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36211 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:37505 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)
 * 3:36222 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:37506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)

Modified Rules:


 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 3:36222 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36223 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36210 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36211 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:37505 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)
 * 3:37506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (snort3-file-image.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (snort3-file-image.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (snort3-server-other.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (snort3-os-mobile.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (snort3-os-mobile.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (snort3-malware-other.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (snort3-server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (snort3-server-other.rules)
 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (snort3-browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (snort3-browser-webkit.rules)

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)

Modified Rules:


 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 3:36210 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)
 * 3:36223 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36211 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:37506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36222 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:37505 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)

2019-11-21 13:47:19 UTC

Snort Subscriber Rules Update

Date: 2019-11-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52304 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52306 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52296 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52307 <-> DISABLED <-> FILE-IMAGE Mutiple products libpng extra row heap overflow attempt (file-image.rules)
 * 1:52287 <-> DISABLED <-> SERVER-OTHER Hummingbird InetD LPD buffer overflow attempt (server-other.rules)
 * 1:52293 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52300 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52298 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52302 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52283 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52290 <-> ENABLED <-> MALWARE-OTHER Win.Backdoor.Agent malicious DLL loader download attempt (malware-other.rules)
 * 1:52297 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52295 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52305 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52301 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52291 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52294 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52299 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52286 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52288 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52285 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52303 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)
 * 1:52289 <-> DISABLED <-> OS-MOBILE Google Android libstagefright integer underflow attempt (os-mobile.rules)
 * 1:52284 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:52292 <-> DISABLED <-> SERVER-WEBAPP MDaemon auto responder remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 1:27234 <-> DISABLED <-> SERVER-OTHER Microsoft Active Directory LDAP search denial of service attempt (server-other.rules)
 * 1:33654 <-> DISABLED <-> SERVER-OTHER OpenSSH maxstartup threshold potential connection exhaustion denial of service attempt (server-other.rules)
 * 1:51415 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 1:51416 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari memory corruption attempt (browser-webkit.rules)
 * 3:36210 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36211 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0002 attack attempt (os-windows.rules)
 * 3:36223 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:36222 <-> ENABLED <-> OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (os-windows.rules)
 * 3:37506 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:37505 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0086 attack attempt (file-pdf.rules)
 * 3:36652 <-> ENABLED <-> SERVER-OTHER Cisco ESA malformed spf TXT record anti-spam bypass attempt (server-other.rules)