Talos Rules 2019-12-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, browser-chrome, browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, content-replace, exploit-kit, file-executable, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-scan, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, malware-tools, netbios, os-linux, os-mobile, os-other, os-solaris, os-windows, policy-multimedia, policy-other, policy-social, policy-spam, protocol-dns, protocol-finger, protocol-ftp, protocol-icmp, protocol-imap, protocol-nntp, protocol-other, protocol-pop, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-telnet, protocol-tftp, protocol-voip, pua-adware, pua-other, pua-p2p, pua-toolbars, scada, server-apache, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other, server-samba, server-webapp and x11 rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-12-19 13:15:38 UTC

Snort Subscriber Rules Update

Date: 2019-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45821 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45820 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45819 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:45444 <-> ENABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:45443 <-> ENABLED <-> OS-OTHER Intel x64 side-channel analysis information leak attempt (os-other.rules)
 * 1:45394 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt (server-other.rules)
 * 1:45255 <-> ENABLED <-> SERVER-SAMBA Samba tree connect andx memory corruption attempt (server-samba.rules)
 * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules)
 * 1:44920 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44919 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EmfPlusRectF out of bounds read attempt (file-other.rules)
 * 1:44482 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt (protocol-dns.rules)
 * 1:45839 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (deleted.rules)
 * 1:45838 <-> DISABLED <-> DELETED FILE-OTHER Adobe Acrobat Pro malformed cmap out of bounds read attempt (deleted.rules)
 * 1:45822 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusDrawRects record out of bounds read attempt (file-other.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46619 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46613 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46616 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46615 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46614 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46618 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:46617 <-> DISABLED <-> OS-LINUX Linux systemd DNS resolver denial of service attempt (os-linux.rules)
 * 1:52489 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52488 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52487 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt (server-other.rules)
 * 1:52486 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52485 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:51485 <-> DISABLED <-> SERVER-OTHER Squid proxy DNS CNAME record response denial of service attempt (server-other.rules)
 * 1:51481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RDP client buffer overflow attempt (os-windows.rules)
 * 1:51181 <-> DISABLED <-> SERVER-OTHER NTPsec 1.1.2 ntp_control out-of-bounds read attempt (server-other.rules)
 * 1:50961 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50960 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules)
 * 1:49963 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49962 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49090 <-> ENABLED <-> SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt (server-samba.rules)
 * 1:47821 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt (server-other.rules)
 * 1:47820 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid Diffie-Hellman parameter NULL pointer dereference attempt (server-other.rules)
 * 1:47683 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47682 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47587 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:47586 <-> DISABLED <-> FILE-OTHER Info-ZIP UnZip heap buffer overflow attempt (file-other.rules)
 * 1:46784 <-> DISABLED <-> SERVER-OTHER Pidgin MSN MSNP2P SLP message integer overflow attempt (server-other.rules)
 * 1:52501 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52498 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52497 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52494 <-> DISABLED <-> SERVER-APACHE Apache httpd mod_remoteip heap buffer overflow attempt (server-apache.rules)
 * 3:52490 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52491 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52492 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52493 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52495 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52496 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)

Modified Rules:


 * 1:39946 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:52449 <-> DISABLED <-> POLICY-OTHER Potential phishing domain ddns.net outbound connection detected (policy-other.rules)
 * 1:39953 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:20341 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:39948 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:43004 <-> ENABLED <-> SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt (server-samba.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:39952 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:39951 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39950 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39947 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:39949 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)

2019-12-19 13:15:38 UTC

Snort Subscriber Rules Update

Date: 2019-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52498 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52494 <-> DISABLED <-> SERVER-APACHE Apache httpd mod_remoteip heap buffer overflow attempt (server-apache.rules)
 * 1:52486 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52488 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52501 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:52487 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt (server-other.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52489 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52497 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52485 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 3:52493 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52495 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52496 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52491 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52492 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52490 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)

Modified Rules:


 * 1:39949 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39946 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:52449 <-> DISABLED <-> POLICY-OTHER Potential phishing domain ddns.net outbound connection detected (policy-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:39953 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39952 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:39950 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:39948 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39951 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:20341 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:39947 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)

2019-12-19 13:15:38 UTC

Snort Subscriber Rules Update

Date: 2019-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52485 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52486 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52487 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt (server-other.rules)
 * 1:52488 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52489 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52494 <-> DISABLED <-> SERVER-APACHE Apache httpd mod_remoteip heap buffer overflow attempt (server-apache.rules)
 * 1:52497 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52498 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52501 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 3:52493 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52490 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52492 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52495 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52491 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52496 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)

Modified Rules:


 * 1:39947 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39952 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:39949 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:52449 <-> DISABLED <-> POLICY-OTHER Potential phishing domain ddns.net outbound connection detected (policy-other.rules)
 * 1:39946 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39948 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:20341 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:39951 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39953 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:39950 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)

2019-12-19 13:15:38 UTC

Snort Subscriber Rules Update

Date: 2019-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52485 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52486 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52487 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt (server-other.rules)
 * 1:52488 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52489 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52494 <-> DISABLED <-> SERVER-APACHE Apache httpd mod_remoteip heap buffer overflow attempt (server-apache.rules)
 * 1:52497 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52498 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52501 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 3:52493 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52496 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52492 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52491 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52490 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52495 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)

Modified Rules:


 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:39947 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:39951 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:52449 <-> DISABLED <-> POLICY-OTHER Potential phishing domain ddns.net outbound connection detected (policy-other.rules)
 * 1:20341 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:39952 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39948 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:39950 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39949 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39953 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39946 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)

2019-12-19 13:15:38 UTC

Snort Subscriber Rules Update

Date: 2019-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52485 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52486 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52487 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt (server-other.rules)
 * 1:52488 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52489 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52494 <-> DISABLED <-> SERVER-APACHE Apache httpd mod_remoteip heap buffer overflow attempt (server-apache.rules)
 * 1:52497 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52498 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52501 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 3:52493 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52491 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52495 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52496 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52492 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52490 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)

Modified Rules:


 * 1:20341 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:39950 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39949 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:52449 <-> DISABLED <-> POLICY-OTHER Potential phishing domain ddns.net outbound connection detected (policy-other.rules)
 * 1:39952 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39951 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39946 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39948 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39953 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39947 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)

2019-12-19 13:15:38 UTC

Snort Subscriber Rules Update

Date: 2019-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (snort3-file-image.rules)
 * 1:52487 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt (snort3-server-other.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (snort3-file-image.rules)
 * 1:52498 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (snort3-file-image.rules)
 * 1:52489 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (snort3-file-multimedia.rules)
 * 1:52485 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (snort3-browser-webkit.rules)
 * 1:52497 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (snort3-file-image.rules)
 * 1:52494 <-> DISABLED <-> SERVER-APACHE Apache httpd mod_remoteip heap buffer overflow attempt (snort3-server-apache.rules)
 * 1:52501 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (snort3-server-other.rules)
 * 1:52486 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (snort3-browser-webkit.rules)
 * 1:52488 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (snort3-file-multimedia.rules)

Modified Rules:


 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (snort3-protocol-dns.rules)
 * 1:39947 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (snort3-protocol-dns.rules)
 * 1:39952 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (snort3-protocol-dns.rules)
 * 1:39949 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (snort3-protocol-dns.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (snort3-malware-backdoor.rules)
 * 1:52449 <-> DISABLED <-> POLICY-OTHER Potential phishing domain ddns.net outbound connection detected (snort3-policy-other.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (snort3-malware-backdoor.rules)
 * 1:20341 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (snort3-protocol-voip.rules)
 * 1:39951 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (snort3-protocol-dns.rules)
 * 1:39948 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (snort3-protocol-dns.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (snort3-server-webapp.rules)
 * 1:39953 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (snort3-protocol-dns.rules)
 * 1:39950 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (snort3-protocol-dns.rules)
 * 1:39946 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (snort3-protocol-dns.rules)

2019-12-19 13:15:38 UTC

Snort Subscriber Rules Update

Date: 2019-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52494 <-> DISABLED <-> SERVER-APACHE Apache httpd mod_remoteip heap buffer overflow attempt (server-apache.rules)
 * 1:52488 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 1:52487 <-> DISABLED <-> SERVER-OTHER OpenSSL SSL ChangeCipherSpec man-in-the-middle attempt (server-other.rules)
 * 1:52486 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52498 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52501 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:52485 <-> DISABLED <-> BROWSER-WEBKIT Apple Webkit updateMinimumColumnHeight use-after-free attempt (browser-webkit.rules)
 * 1:52500 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52499 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52497 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop Camera Raw plug-in TIFF image processing buffer underflow attempt (file-image.rules)
 * 1:52489 <-> DISABLED <-> FILE-MULTIMEDIA Nokia PC Suite Video Manager mp4 denial of service attempt (file-multimedia.rules)
 * 3:52491 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52493 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52496 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)
 * 3:52492 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52490 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2019-0972 attack attempt (file-image.rules)
 * 3:52495 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0971 attack attempt (file-other.rules)

Modified Rules:


 * 1:39950 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)
 * 1:52449 <-> DISABLED <-> POLICY-OTHER Potential phishing domain ddns.net outbound connection detected (policy-other.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:39946 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:20341 <-> DISABLED <-> PROTOCOL-VOIP To header unquoted tokens in field attempt (protocol-voip.rules)
 * 1:50276 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:39952 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:50277 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt (malware-backdoor.rules)
 * 1:39949 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39953 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TSIG query denial of service attempt (protocol-dns.rules)
 * 1:39948 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TKEY query denial of service attempt (protocol-dns.rules)
 * 1:50860 <-> DISABLED <-> SERVER-WEBAPP Palo Alto GlobalProtect SSL VPN buffer overflow attempt (server-webapp.rules)
 * 1:39947 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TKEY query denial of service attempt (protocol-dns.rules)
 * 1:39951 <-> DISABLED <-> PROTOCOL-DNS PowerDNS TCP TSIG query denial of service attempt (protocol-dns.rules)