Talos Rules 2020-02-12
This release adds and modifies rules in several categories.

Microsoft Vulnerability CVE-2020-0817: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53104.

Talos also has added and modified multiple rules in the browser-plugins, browser-webkit, file-image, file-java, file-multimedia, malware-tools, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-02-12 22:57:03 UTC

Snort Subscriber Rules Update

Date: 2020-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53091 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53090 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules)
 * 1:53104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client PDU parsing integer overflow attempt (os-windows.rules)
 * 1:53101 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53100 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53096 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53095 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53092 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 3:53103 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53093 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53094 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53097 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53098 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53099 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1000 attack attempt (server-other.rules)
 * 3:53102 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)

Modified Rules:


 * 1:35001 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:35002 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:43537 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24582 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:24580 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:20581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)

2020-02-12 22:57:03 UTC

Snort Subscriber Rules Update

Date: 2020-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53092 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client PDU parsing integer overflow attempt (os-windows.rules)
 * 1:53100 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53090 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules)
 * 1:53095 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53101 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53091 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53096 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 3:53093 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53094 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53103 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53097 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53098 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53102 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53099 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1000 attack attempt (server-other.rules)

Modified Rules:


 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24580 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:35002 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24582 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:35001 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:20581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:43537 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)

2020-02-12 22:57:03 UTC

Snort Subscriber Rules Update

Date: 2020-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53100 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client PDU parsing integer overflow attempt (os-windows.rules)
 * 1:53091 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53090 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules)
 * 1:53092 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53101 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53095 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53096 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 3:53102 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53103 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53093 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53094 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53097 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53098 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53099 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1000 attack attempt (server-other.rules)

Modified Rules:


 * 1:43537 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24582 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:35001 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24580 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:24581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:20581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:35002 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)

2020-02-12 22:57:03 UTC

Snort Subscriber Rules Update

Date: 2020-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53095 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53091 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53092 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53100 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53090 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules)
 * 1:53096 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client PDU parsing integer overflow attempt (os-windows.rules)
 * 1:53101 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 3:53102 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53093 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53094 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53097 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53103 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53098 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53099 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1000 attack attempt (server-other.rules)

Modified Rules:


 * 1:24582 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24580 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:35001 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:43537 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:20581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:35002 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)

2020-02-12 22:57:03 UTC

Snort Subscriber Rules Update

Date: 2020-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53090 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules)
 * 1:53101 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53095 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53091 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53100 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53096 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client PDU parsing integer overflow attempt (os-windows.rules)
 * 1:53092 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 3:53103 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53102 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53093 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53094 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53097 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53098 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53099 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1000 attack attempt (server-other.rules)

Modified Rules:


 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24580 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:24582 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:24581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:35002 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:43537 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35001 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:20581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)

2020-02-12 22:57:03 UTC

Snort Subscriber Rules Update

Date: 2020-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53096 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:53092 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:53104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client PDU parsing integer overflow attempt (snort3-os-windows.rules)
 * 1:53090 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (snort3-malware-tools.rules)
 * 1:53095 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:53100 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (snort3-browser-webkit.rules)
 * 1:53091 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:53101 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (snort3-browser-webkit.rules)

Modified Rules:


 * 1:35002 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (snort3-browser-plugins.rules)
 * 1:24582 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (snort3-protocol-scada.rules)
 * 1:24581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (snort3-protocol-scada.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (snort3-browser-plugins.rules)
 * 1:20581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (snort3-protocol-scada.rules)
 * 1:35001 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (snort3-browser-plugins.rules)
 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (snort3-browser-plugins.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (snort3-file-java.rules)
 * 1:24580 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (snort3-protocol-scada.rules)
 * 1:43537 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (snort3-browser-plugins.rules)

2020-02-12 22:57:03 UTC

Snort Subscriber Rules Update

Date: 2020-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53095 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53101 <-> ENABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 1:53090 <-> ENABLED <-> MALWARE-TOOLS Malicious HTML application download attempt (malware-tools.rules)
 * 1:53091 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53104 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client PDU parsing integer overflow attempt (os-windows.rules)
 * 1:53092 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53096 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima F1BookView ActiveX clsid access attempt (browser-plugins.rules)
 * 1:53100 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit WebCore memory corruption attempt (browser-webkit.rules)
 * 3:53103 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53102 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1002 attack attempt (server-other.rules)
 * 3:53093 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53094 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2020-1012 attack attempt (file-multimedia.rules)
 * 3:53097 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53098 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1009 attack attempt (file-image.rules)
 * 3:53099 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-1000 attack attempt (server-other.rules)

Modified Rules:


 * 1:35001 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:43537 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS Statistics ActiveX clsid access attempt (browser-plugins.rules)
 * 1:24582 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:25565 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:24581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:24580 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX function call access (protocol-scada.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:25566 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)
 * 1:20581 <-> DISABLED <-> PROTOCOL-SCADA Broadwin WebAccess ActiveX clsid access (protocol-scada.rules)
 * 1:35002 <-> DISABLED <-> BROWSER-PLUGINS Oracle AutoVue ActiveX control function call access attempt (browser-plugins.rules)