Talos Rules 2020-01-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-flash, file-multimedia, file-office, file-other, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-01-30 14:43:27 UTC

Snort Subscriber Rules Update

Date: 2020-01-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52990 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7565256-0 download attempt (malware-other.rules)
 * 1:52989 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52988 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52987 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52986 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52985 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52984 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52983 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52982 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52981 <-> DISABLED <-> FILE-MULTIMEDIA WM Downloader malformed .m3u file buffer overflow attempt (file-multimedia.rules)
 * 1:52999 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564625-0 download attempt (malware-other.rules)
 * 1:52992 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Ponystealer-7564561-0 download attempt (malware-other.rules)
 * 1:52991 <-> DISABLED <-> BROWSER-OTHER Multiple products Content-Type HTTP header buffer overflow attempt (browser-other.rules)
 * 3:52993 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches admin settings page access detected (policy-other.rules)
 * 3:52994 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52995 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52996 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches information disclosure attempt (server-webapp.rules)
 * 3:52997 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches cross site scripting attempt (server-webapp.rules)
 * 3:52998 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules)
 * 3:53000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)
 * 3:53001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)

Modified Rules:


 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:35265 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:11824 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access (browser-plugins.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (malware-cnc.rules)
 * 1:35262 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:35261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:43543 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (file-other.rules)
 * 1:11822 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access (browser-plugins.rules)
 * 1:35264 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)

2020-01-30 14:43:27 UTC

Snort Subscriber Rules Update

Date: 2020-01-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52984 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52983 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52981 <-> DISABLED <-> FILE-MULTIMEDIA WM Downloader malformed .m3u file buffer overflow attempt (file-multimedia.rules)
 * 1:52982 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52999 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564625-0 download attempt (malware-other.rules)
 * 1:52991 <-> DISABLED <-> BROWSER-OTHER Multiple products Content-Type HTTP header buffer overflow attempt (browser-other.rules)
 * 1:52992 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Ponystealer-7564561-0 download attempt (malware-other.rules)
 * 1:52989 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52990 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7565256-0 download attempt (malware-other.rules)
 * 1:52987 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52988 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52985 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52986 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 3:52993 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches admin settings page access detected (policy-other.rules)
 * 3:52994 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52995 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52996 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches information disclosure attempt (server-webapp.rules)
 * 3:52997 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches cross site scripting attempt (server-webapp.rules)
 * 3:52998 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules)
 * 3:53000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)
 * 3:53001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)

Modified Rules:


 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:35262 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:35261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (malware-cnc.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:11822 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access (browser-plugins.rules)
 * 1:11824 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access (browser-plugins.rules)
 * 1:43543 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (file-other.rules)
 * 1:35265 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:35264 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)

2020-01-30 14:43:27 UTC

Snort Subscriber Rules Update

Date: 2020-01-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52992 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Ponystealer-7564561-0 download attempt (malware-other.rules)
 * 1:52991 <-> DISABLED <-> BROWSER-OTHER Multiple products Content-Type HTTP header buffer overflow attempt (browser-other.rules)
 * 1:52989 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52990 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7565256-0 download attempt (malware-other.rules)
 * 1:52987 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52988 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52985 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52986 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52983 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52984 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52981 <-> DISABLED <-> FILE-MULTIMEDIA WM Downloader malformed .m3u file buffer overflow attempt (file-multimedia.rules)
 * 1:52982 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52999 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564625-0 download attempt (malware-other.rules)
 * 3:52993 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches admin settings page access detected (policy-other.rules)
 * 3:52994 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52995 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52996 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches information disclosure attempt (server-webapp.rules)
 * 3:52997 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches cross site scripting attempt (server-webapp.rules)
 * 3:52998 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules)
 * 3:53000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)
 * 3:53001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)

Modified Rules:


 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:43543 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (file-other.rules)
 * 1:11824 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access (browser-plugins.rules)
 * 1:35262 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:11822 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access (browser-plugins.rules)
 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:35265 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:35264 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (malware-cnc.rules)

2020-01-30 14:43:27 UTC

Snort Subscriber Rules Update

Date: 2020-01-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52991 <-> DISABLED <-> BROWSER-OTHER Multiple products Content-Type HTTP header buffer overflow attempt (browser-other.rules)
 * 1:52992 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Ponystealer-7564561-0 download attempt (malware-other.rules)
 * 1:52999 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564625-0 download attempt (malware-other.rules)
 * 1:52990 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7565256-0 download attempt (malware-other.rules)
 * 1:52987 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52988 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52989 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52986 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52983 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52984 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52985 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52982 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52981 <-> DISABLED <-> FILE-MULTIMEDIA WM Downloader malformed .m3u file buffer overflow attempt (file-multimedia.rules)
 * 3:52993 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches admin settings page access detected (policy-other.rules)
 * 3:52994 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52995 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52996 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches information disclosure attempt (server-webapp.rules)
 * 3:52997 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches cross site scripting attempt (server-webapp.rules)
 * 3:52998 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules)
 * 3:53000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)
 * 3:53001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)

Modified Rules:


 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:11824 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access (browser-plugins.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:35262 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:11822 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access (browser-plugins.rules)
 * 1:43543 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (file-other.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (malware-cnc.rules)
 * 1:35264 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:35261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35265 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)

2020-01-30 14:43:27 UTC

Snort Subscriber Rules Update

Date: 2020-01-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52984 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52983 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52985 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52986 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52981 <-> DISABLED <-> FILE-MULTIMEDIA WM Downloader malformed .m3u file buffer overflow attempt (file-multimedia.rules)
 * 1:52982 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52991 <-> DISABLED <-> BROWSER-OTHER Multiple products Content-Type HTTP header buffer overflow attempt (browser-other.rules)
 * 1:52992 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Ponystealer-7564561-0 download attempt (malware-other.rules)
 * 1:52999 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564625-0 download attempt (malware-other.rules)
 * 1:52987 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52988 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52989 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52990 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7565256-0 download attempt (malware-other.rules)
 * 3:52993 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches admin settings page access detected (policy-other.rules)
 * 3:52994 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52995 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52996 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches information disclosure attempt (server-webapp.rules)
 * 3:52997 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches cross site scripting attempt (server-webapp.rules)
 * 3:52998 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules)
 * 3:53000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)
 * 3:53001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)

Modified Rules:


 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:11824 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access (browser-plugins.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:35262 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:11822 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access (browser-plugins.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:43543 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (file-other.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (malware-cnc.rules)
 * 1:35264 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:35265 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)

2020-01-30 14:43:27 UTC

Snort Subscriber Rules Update

Date: 2020-01-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52982 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (snort3-malware-other.rules)
 * 1:52992 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Ponystealer-7564561-0 download attempt (snort3-malware-other.rules)
 * 1:52991 <-> DISABLED <-> BROWSER-OTHER Multiple products Content-Type HTTP header buffer overflow attempt (snort3-browser-other.rules)
 * 1:52989 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52984 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (snort3-browser-ie.rules)
 * 1:52983 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (snort3-malware-other.rules)
 * 1:52985 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (snort3-browser-ie.rules)
 * 1:52986 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52987 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52988 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52999 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564625-0 download attempt (snort3-malware-other.rules)
 * 1:52981 <-> DISABLED <-> FILE-MULTIMEDIA WM Downloader malformed .m3u file buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:52990 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7565256-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:11824 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access (snort3-browser-plugins.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (snort3-server-mail.rules)
 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (snort3-file-office.rules)
 * 1:35264 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (snort3-file-flash.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (snort3-file-office.rules)
 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (snort3-file-flash.rules)
 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (snort3-file-office.rules)
 * 1:35262 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (snort3-file-flash.rules)
 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (snort3-file-office.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (snort3-file-office.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (snort3-file-office.rules)
 * 1:35265 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (snort3-file-flash.rules)
 * 1:43543 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (snort3-file-other.rules)
 * 1:35261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (snort3-file-flash.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (snort3-malware-cnc.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (snort3-file-flash.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:11822 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)

2020-01-30 14:43:27 UTC

Snort Subscriber Rules Update

Date: 2020-01-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52999 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agen-7564625-0 download attempt (malware-other.rules)
 * 1:52989 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52990 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.VBGeneric-7565256-0 download attempt (malware-other.rules)
 * 1:52985 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52981 <-> DISABLED <-> FILE-MULTIMEDIA WM Downloader malformed .m3u file buffer overflow attempt (file-multimedia.rules)
 * 1:52982 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52987 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52986 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52983 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Hyperbro variant payload download attempt (malware-other.rules)
 * 1:52991 <-> DISABLED <-> BROWSER-OTHER Multiple products Content-Type HTTP header buffer overflow attempt (browser-other.rules)
 * 1:52992 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Ponystealer-7564561-0 download attempt (malware-other.rules)
 * 1:52984 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer improper copy buffer access information disclosure attempt (browser-ie.rules)
 * 1:52988 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 3:52993 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches admin settings page access detected (policy-other.rules)
 * 3:52994 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52995 <-> ENABLED <-> POLICY-OTHER Cisco Small Business Series Switches device configuration page access detected (policy-other.rules)
 * 3:52996 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches information disclosure attempt (server-webapp.rules)
 * 3:52997 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches cross site scripting attempt (server-webapp.rules)
 * 3:52998 <-> ENABLED <-> SERVER-WEBAPP Cisco Small Business Series Switches denial of service attempt (server-webapp.rules)
 * 3:53000 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)
 * 3:53001 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2020-0983 attack attempt (file-other.rules)

Modified Rules:


 * 1:11824 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX function call access (browser-plugins.rules)
 * 1:17328 <-> DISABLED <-> SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow (server-mail.rules)
 * 1:43543 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .m3u file buffer overflow attempt (file-other.rules)
 * 1:19068 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:11822 <-> DISABLED <-> BROWSER-PLUGINS Yahoo Webcam Upload ActiveX clsid access (browser-plugins.rules)
 * 1:19069 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:35262 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:19065 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:35265 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35264 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:19067 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:19066 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)
 * 1:25240 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Menti variant inbound connection (malware-cnc.rules)
 * 1:35261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:19070 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment attempt (file-office.rules)