Talos Rules 2020-05-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, malware-cnc, malware-other, policy-other, protocol-dns, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules)
 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules)
 * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)
 * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)
 * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules)
 * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)
 * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)
 * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)
 * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules)
 * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)
 * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules)
 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)
 * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)
 * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)
 * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules)
 * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)
 * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules)
 * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)
 * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)
 * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules)
 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules)
 * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules)
 * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)
 * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)
 * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)
 * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)
 * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)
 * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules)
 * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)
 * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)
 * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (snort3-server-webapp.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (snort3-malware-cnc.rules)
 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (snort3-malware-other.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (snort3-server-other.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (snort3-server-webapp.rules)
 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (snort3-server-webapp.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (snort3-malware-other.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (snort3-browser-chrome.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (snort3-server-webapp.rules)
 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (snort3-malware-other.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (snort3-malware-other.rules)
 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (snort3-server-webapp.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (snort3-malware-other.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (snort3-browser-chrome.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (snort3-malware-cnc.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (snort3-server-webapp.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (snort3-server-webapp.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (snort3-malware-other.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (snort3-server-webapp.rules)

2020-05-07 13:04:00 UTC

Snort Subscriber Rules Update

Date: 2020-05-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53854 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53863 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53862 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-859 UPnP subscribe command injection attempt (server-webapp.rules)
 * 1:53856 <-> ENABLED <-> MALWARE-CNC Embedded.Exploit.Hoaxcalls variant outbound connection (malware-cnc.rules)
 * 1:53859 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53860 <-> ENABLED <-> SERVER-WEBAPP Centurylink router unauthenticated administrator account disable attempt (server-webapp.rules)
 * 1:53865 <-> DISABLED <-> SERVER-OTHER Memcached read command denial of service attempt (server-other.rules)
 * 1:53848 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53852 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53861 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Astaroth outbound beacon (malware-cnc.rules)
 * 1:53855 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-7759444-0 download attempt (malware-other.rules)
 * 1:53849 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Clipbanker-7764305-0 download attempt (malware-other.rules)
 * 1:53853 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Razy-7767366-0 download attempt (malware-other.rules)
 * 1:53858 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53845 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 1:53857 <-> ENABLED <-> SERVER-WEBAPP Grandstream UCM6202 series SQL injection attempt (server-webapp.rules)
 * 1:53866 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint TypeConverter remote code execution attempt (server-webapp.rules)
 * 1:53846 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:53844 <-> DISABLED <-> BROWSER-CHROME Google Chromium ImageCapture use after free attempt (browser-chrome.rules)
 * 3:53864 <-> ENABLED <-> POLICY-OTHER Cisco Firepower User Agent Service default MySQL credentials detected (policy-other.rules)
 * 3:53847 <-> ENABLED <-> PROTOCOL-OTHER Cisco ASA and FTD malformed OSPF denial of service attempt (protocol-other.rules)
 * 3:53867 <-> ENABLED <-> PROTOCOL-DNS Cisco ASA and FTD IPv6 DNS request stack buffer overflow attempt (protocol-dns.rules)
 * 3:53850 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD memory disclosure attempt (server-webapp.rules)
 * 3:53871 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53869 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53870 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53868 <-> ENABLED <-> SERVER-OTHER Cisco ASA and FTD MGCP denial of service attempt (server-other.rules)
 * 3:53851 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA and FTD directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:20116 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint Javascript XSS attempt (server-webapp.rules)