Talos Rules 2020-08-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, browser-webkit, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, malware-other, os-other, os-windows, policy-other, policy-social, protocol-dns, pua-adware, server-other and x11 rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)

Modified Rules:


 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)

Modified Rules:


 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)

Modified Rules:


 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)

Modified Rules:


 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)

Modified Rules:


 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)

Modified Rules:


 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)

Modified Rules:


 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (snort3-protocol-dns.rules)
 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (snort3-server-other.rules)
 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (snort3-malware-cnc.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (snort3-protocol-dns.rules)
 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (snort3-malware-other.rules)

Modified Rules:


 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (snort3-browser-ie.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (snort3-pua-adware.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (snort3-pua-adware.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (snort3-file-other.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (snort3-server-webapp.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (snort3-browser-webkit.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (snort3-pua-adware.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (snort3-policy-social.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (snort3-indicator-shellcode.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (snort3-app-detect.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (snort3-server-other.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (snort3-x11.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (snort3-x11.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (snort3-browser-webkit.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (snort3-server-webapp.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules)
 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (snort3-browser-ie.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (snort3-malware-cnc.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (snort3-browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (snort3-browser-ie.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (snort3-browser-ie.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (snort3-browser-ie.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (snort3-server-webapp.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (snort3-file-image.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (snort3-file-image.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (snort3-malware-cnc.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (snort3-os-windows.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (snort3-file-pdf.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (snort3-file-pdf.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (snort3-os-windows.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (snort3-pua-adware.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (snort3-browser-plugins.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (snort3-file-other.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (snort3-file-multimedia.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (snort3-file-office.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (snort3-file-office.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (snort3-pua-adware.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (snort3-file-image.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (snort3-malware-cnc.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (snort3-os-windows.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (snort3-file-identify.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (snort3-malware-cnc.rules)

2020-08-06 12:34:04 UTC

Snort Subscriber Rules Update

Date: 2020-08-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54704 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:54706 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54705 <-> DISABLED <-> PROTOCOL-DNS Treck TCP/IP stack CNAME record heap overflow attempt (protocol-dns.rules)
 * 1:54693 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection (malware-other.rules)
 * 1:54703 <-> ENABLED <-> MALWARE-CNC Unix.Malware.QSnatch infected QNAP device outbound communication attempt (malware-cnc.rules)
 * 3:54697 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54695 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54698 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54701 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54702 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1133 attack attempt (os-other.rules)
 * 3:54694 <-> ENABLED <-> FILE-OTHER Cisco AnyConnect Secure Mobility Client dll-load exploit attempt (file-other.rules)
 * 3:54700 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54696 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)
 * 3:54699 <-> ENABLED <-> POLICY-OTHER Cisco Data Center Network Manager privileged API access detected (policy-other.rules)

Modified Rules:


 * 1:36412 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:20073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (os-windows.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:47247 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:51475 <-> ENABLED <-> FILE-OTHER Microsoft SharePoint deserialization attempt (file-other.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:7129 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 2 (pua-adware.rules)
 * 1:36411 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:7127 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - tracking (pua-adware.rules)
 * 1:54649 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:7128 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - advertising 1 (pua-adware.rules)
 * 1:8063 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer ADODB.Stream ActiveX function call access (browser-plugins.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:26572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer null object access attempt (browser-ie.rules)
 * 1:15903 <-> DISABLED <-> INDICATOR-SHELLCODE x86 PoC CVE-2003-0605 (indicator-shellcode.rules)
 * 1:20618 <-> DISABLED <-> SERVER-OTHER Sage SalesLogix database credential disclosure attempt (server-other.rules)
 * 1:30570 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:13619 <-> DISABLED <-> OS-WINDOWS Microsoft Windows getBulkRequest memory corruption attempt (os-windows.rules)
 * 1:16631 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after remove attempt (browser-webkit.rules)
 * 1:1226 <-> DISABLED <-> X11 xopen (x11.rules)
 * 1:16632 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari image use after reparent attempt (browser-webkit.rules)
 * 1:16646 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RTD buffer overflow attempt  (file-office.rules)
 * 1:16647 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record heap memory corruption attempt - 2 (file-office.rules)
 * 1:17186 <-> DISABLED <-> FILE-OTHER Adobe Director file rcsL record exploit attempt (file-other.rules)
 * 1:17531 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime MOV file JVTCompEncodeFrame heap overflow attempt (file-multimedia.rules)
 * 1:54650 <-> DISABLED <-> SERVER-WEBAPP Apache Kylin REST API migrate command injection attempt (server-webapp.rules)
 * 1:12457 <-> DISABLED <-> POLICY-SOCIAL Microsoft Live chat video feed initiation (policy-social.rules)
 * 1:5797 <-> DISABLED <-> APP-DETECT Kontiki runtime detection (app-detect.rules)
 * 1:5836 <-> DISABLED <-> PUA-ADWARE Trickler nictech.bm2 outbound connection (pua-adware.rules)
 * 1:31776 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:31775 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:32259 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt (malware-cnc.rules)
 * 1:31774 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:10126 <-> DISABLED <-> FILE-IMAGE Apple QuickTime JPEG Huffman Table integer underflow attempt (file-image.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:47248 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro crafted GIF file out-of-bounds read attempt (file-image.rules)
 * 1:7130 <-> DISABLED <-> PUA-ADWARE Hijacker wowok mp3 bar outbound connection - search assissant hijacking (pua-adware.rules)
 * 1:46339 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Matrix outbound connection (malware-cnc.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:36414 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:36413 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:31773 <-> ENABLED <-> FILE-IDENTIFY BitTorrent torrent file attachment detected (file-identify.rules)
 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)