Talos Rules 2019-12-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-windows, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)

Modified Rules:


 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)

Modified Rules:


 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)

Modified Rules:


 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules)
 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (snort3-browser-firefox.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (snort3-browser-firefox.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (snort3-server-other.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (snort3-protocol-scada.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (snort3-indicator-compromise.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (snort3-indicator-compromise.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (snort3-browser-ie.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (snort3-server-other.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (snort3-malware-cnc.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (snort3-malware-other.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (snort3-malware-other.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (snort3-server-webapp.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (snort3-os-windows.rules)
 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (snort3-file-pdf.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (snort3-server-apache.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (snort3-server-other.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (snort3-file-pdf.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (snort3-malware-backdoor.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (snort3-server-other.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (snort3-browser-firefox.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (snort3-browser-firefox.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (snort3-file-pdf.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (snort3-malware-backdoor.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (snort3-file-pdf.rules)
 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (snort3-malware-backdoor.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (snort3-browser-other.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (snort3-browser-other.rules)
 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (snort3-browser-ie.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (snort3-browser-ie.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (snort3-browser-ie.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (snort3-server-webapp.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (snort3-server-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (snort3-malware-backdoor.rules)

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)

Modified Rules:


 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)

2019-12-17 18:22:28 UTC

Snort Subscriber Rules Update

Date: 2019-12-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52466 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52473 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52472 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:52470 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52469 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52476 <-> DISABLED <-> SERVER-OTHER Memcached lru temp_ttl NULL dereference attempt (server-other.rules)
 * 1:52484 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52477 <-> DISABLED <-> SERVER-OTHER Memcached lru mode NULL dereference attempt (server-other.rules)
 * 1:52464 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52471 <-> DISABLED <-> SERVER-APACHE Apache Tomcat chunked transfer encoding denial of service attempt (server-apache.rules)
 * 1:52451 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Zeppelin outbound communication (malware-cnc.rules)
 * 1:52465 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52452 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52482 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)
 * 1:52453 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Zeppelin download attempt (malware-other.rules)
 * 1:52475 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52474 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:52454 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:52455 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52456 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52457 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52483 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:52458 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52459 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52480 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra JIT out of bounds information disclosure attempt (browser-ie.rules)
 * 1:52460 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52461 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52462 <-> DISABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:52468 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52463 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader embedded font type max subroutine buffer overflow attempt (file-pdf.rules)
 * 1:52478 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS integer underflow attempt (protocol-scada.rules)
 * 1:52467 <-> DISABLED <-> BROWSER-PLUGINS Oracle EasyMail Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:52481 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Word internal OLE object update attempt (indicator-compromise.rules)

Modified Rules:


 * 1:29957 <-> DISABLED <-> SERVER-OTHER Kolibri HTTP Server uri buffer overflow attempt (server-other.rules)
 * 1:51127 <-> DISABLED <-> SERVER-OTHER NetBIOS name request probe attempt (server-other.rules)
 * 1:51368 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt (malware-backdoor.rules)
 * 1:40811 <-> DISABLED <-> SERVER-OTHER NTP origin timestamp denial of service attempt (server-other.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:32816 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:52076 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:32815 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader raster image memory corruption attempt (file-pdf.rules)
 * 1:52075 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52124 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:50278 <-> ENABLED <-> MALWARE-BACKDOOR MultiOS.Backdoor.Agent webshell implant attempt (malware-backdoor.rules)
 * 1:44147 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:51394 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:51401 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51402 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MSHTML Parsing DoS attempt (browser-ie.rules)
 * 1:51422 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)
 * 1:44146 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JSXML integer overflow attempt (browser-firefox.rules)
 * 1:51393 <-> DISABLED <-> BROWSER-OTHER Mozilla Firefox GeckoActiveXObject exploit attempt (browser-other.rules)
 * 1:52074 <-> DISABLED <-> SERVER-WEBAPP LibreNMS addhost command injection attempt (server-webapp.rules)
 * 1:52125 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt (file-pdf.rules)
 * 1:51420 <-> DISABLED <-> BROWSER-IE Microsoft Edge Scripting Engine array memory corruption attempt (browser-ie.rules)