Talos Rules 2019-11-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-ie, browser-plugins, browser-webkit, file-image, file-other, malware-cnc, protocol-scada, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)
 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)

Modified Rules:


 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)
 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)

Modified Rules:


 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules)
 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)
 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules)
 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)

Modified Rules:


 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)
 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)

Modified Rules:


 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (snort3-server-webapp.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (snort3-server-other.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (snort3-server-apache.rules)
 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (snort3-browser-chrome.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (snort3-malware-cnc.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (snort3-file-other.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (snort3-browser-chrome.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (snort3-malware-cnc.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (snort3-file-image.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (snort3-server-webapp.rules)
 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (snort3-file-other.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (snort3-protocol-voip.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (snort3-browser-webkit.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (snort3-protocol-voip.rules)
 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (snort3-server-apache.rules)

Modified Rules:


 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (snort3-protocol-voip.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (snort3-protocol-scada.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (snort3-protocol-voip.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (snort3-file-other.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (snort3-protocol-voip.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (snort3-server-other.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (snort3-file-other.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (snort3-protocol-voip.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (snort3-malware-cnc.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (snort3-browser-plugins.rules)

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)

Modified Rules:


 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)

2019-11-26 17:26:49 UTC

Snort Subscriber Rules Update

Date: 2019-11-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52324 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52321 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52310 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52309 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious executable download attempt (malware-cnc.rules)
 * 1:52313 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52312 <-> DISABLED <-> FILE-IMAGE Imagemagick XBM tranformation information leak attempt (file-image.rules)
 * 1:52323 <-> DISABLED <-> SERVER-OTHER ABB PGIM unauthenticated credential disclosure attempt (server-other.rules)
 * 1:52326 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)
 * 1:52319 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52322 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52329 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52318 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52320 <-> DISABLED <-> FILE-OTHER VLC Media Player malformed APE buffer overflow attempt (file-other.rules)
 * 1:52311 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52315 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52308 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious document download attempt (malware-cnc.rules)
 * 1:52316 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52314 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit memory corruption attempt (browser-webkit.rules)
 * 1:52317 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 JavaScript Engine memory corruption attempt (browser-chrome.rules)
 * 1:52325 <-> DISABLED <-> SERVER-APACHE Apache Solr Velocity Response Writer remote code execution attempt (server-apache.rules)
 * 1:52328 <-> DISABLED <-> SERVER-WEBAPP Asus RT-N10 Repeater Mode command injection attempt (server-webapp.rules)
 * 1:52327 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request missing transaction identifier attempt (protocol-voip.rules)

Modified Rules:


 * 1:51764 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:20326 <-> DISABLED <-> PROTOCOL-VOIP From header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:20340 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:27210 <-> DISABLED <-> SERVER-OTHER IPMI RAKP cipher zero remote authentication bypass attempt (server-other.rules)
 * 1:34936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swaylib variant outbound connection (malware-cnc.rules)
 * 1:39686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:51511 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request URI with atypical scheme attempt (protocol-voip.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42016 <-> DISABLED <-> PROTOCOL-SCADA Moxa discovery packet information disclosure attempt (protocol-scada.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt (malware-cnc.rules)
 * 1:43540 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:43541 <-> DISABLED <-> FILE-OTHER Multiple products media player wma file buffer overflow attempt (file-other.rules)
 * 1:47109 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:47110 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)