Talos Rules 2019-12-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-plugins, browser-webkit, file-pdf, malware-cnc, malware-other, os-solaris, os-windows, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)
 * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)

Modified Rules:


 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules)
 * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)
 * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)
 * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)
 * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)
 * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules)
 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)
 * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)
 * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules)
 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)
 * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (snort3-browser-chrome.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (snort3-os-solaris.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (snort3-os-solaris.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (snort3-malware-other.rules)
 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (snort3-server-other.rules)
 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (snort3-server-other.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (snort3-os-windows.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (snort3-malware-cnc.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (snort3-browser-webkit.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (snort3-malware-cnc.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (snort3-server-other.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (snort3-malware-other.rules)
 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (snort3-malware-other.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (snort3-browser-webkit.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (snort3-browser-chrome.rules)
 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (snort3-browser-plugins.rules)

Modified Rules:


 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (snort3-server-webapp.rules)
 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (snort3-browser-plugins.rules)

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules)
 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)
 * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)
 * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)

2019-12-03 13:07:46 UTC

Snort Subscriber Rules Update

Date: 2019-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52344 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 1:52342 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52340 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52341 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit out-of-bounds read attempt (browser-webkit.rules)
 * 1:52330 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ramnit-7057830-0 download attempt (malware-other.rules)
 * 1:52333 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52334 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:52335 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MHTML XSS attempt (os-windows.rules)
 * 1:52348 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52336 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52337 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hoplight variant binary download attempt (malware-cnc.rules)
 * 1:52338 <-> DISABLED <-> SERVER-OTHER ISC BIND DNS root DNAME query response denial of service attempt (server-other.rules)
 * 1:52339 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Qakbot-7058183-0 download attempt (malware-other.rules)
 * 1:52349 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 engine memory corruption attempt (browser-chrome.rules)
 * 1:52347 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:52343 <-> DISABLED <-> SERVER-OTHER ISC BIND deny-answer-aliases denial of service attempt (server-other.rules)
 * 3:52332 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)
 * 3:52345 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (server-webapp.rules)
 * 3:52346 <-> ENABLED <-> PROTOCOL-SNMP TRUFFLEHUNTER TALOS-2019-0960 attack attempt (protocol-snmp.rules)
 * 3:52331 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0959 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:20591 <-> DISABLED <-> BROWSER-PLUGINS Flexera InstallShield ISGrid2.dll DoFindReplace heap buffer overlow ActiveX clsid access (browser-plugins.rules)
 * 1:51837 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26573 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:26194 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51621 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51833 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51834 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51620 <-> ENABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26574 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)
 * 1:51836 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:51835 <-> DISABLED <-> SERVER-WEBAPP vBulletin pre-authenticated command injection attempt (server-webapp.rules)
 * 1:26193 <-> DISABLED <-> BROWSER-PLUGINS Honeywell HscRemoteDeploy ActiveX control arbitrary HTA execution attempt (browser-plugins.rules)