Talos Rules 2020-08-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2020-1380: A coding deficiency exists in Microsoft Windows Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54743 through 54744.

Microsoft Vulnerability CVE-2020-1480: A coding deficiency exists in Microsoft Windows GDI that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54745 through 54746.

Microsoft Vulnerability CVE-2020-1529: A coding deficiency exists in Microsoft Windows GDI that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54737 through 54738.

Microsoft Vulnerability CVE-2020-1566: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54765 through 54766.

Microsoft Vulnerability CVE-2020-1567: A coding deficiency exists in Microsoft Windows MSHTML Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54741 through 54742.

Microsoft Vulnerability CVE-2020-1570: A coding deficiency exists in Microsoft Windows Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54739 through 54740.

Microsoft Vulnerability CVE-2020-1578: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54753 through 54754.

Microsoft Vulnerability CVE-2020-1584: A coding deficiency exists in Microsoft Windows dnsrslvr.dll that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54735 through 54736.

Microsoft Vulnerability CVE-2020-1587: A coding deficiency exists in Microsoft Windows Ancillary Function Driver for WinSock that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 54733 through 54734.

Talos also has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-other, os-windows, policy-other, protocol-scada, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)

Modified Rules:


 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)

Modified Rules:


 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)

Modified Rules:


 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)

Modified Rules:


 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)

Modified Rules:


 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)

Modified Rules:


 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)

Modified Rules:


 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (snort3-os-windows.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (snort3-file-other.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (snort3-malware-other.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (snort3-malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (snort3-malware-other.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (snort3-file-other.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (snort3-malware-other.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (snort3-server-webapp.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (snort3-malware-other.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (snort3-malware-other.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (snort3-malware-other.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (snort3-malware-other.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (snort3-os-windows.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (snort3-malware-other.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (snort3-malware-other.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (snort3-malware-other.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (snort3-malware-other.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (snort3-os-windows.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (snort3-os-windows.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (snort3-os-windows.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (snort3-server-oracle.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (snort3-server-webapp.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (snort3-malware-other.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (snort3-server-webapp.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (snort3-os-windows.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (snort3-malware-other.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (snort3-os-windows.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (snort3-malware-other.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (snort3-os-windows.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (snort3-malware-other.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (snort3-malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (snort3-malware-other.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (snort3-malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (snort3-malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (snort3-malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (snort3-malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (snort3-malware-other.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (snort3-malware-other.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (snort3-malware-other.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (snort3-malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (snort3-malware-other.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (snort3-malware-other.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (snort3-malware-other.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (snort3-malware-other.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (snort3-os-windows.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (snort3-server-webapp.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (snort3-policy-other.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (snort3-policy-other.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (snort3-file-other.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (snort3-policy-other.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (snort3-server-webapp.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (snort3-server-other.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (snort3-server-webapp.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (snort3-file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (snort3-file-other.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (snort3-file-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (snort3-server-webapp.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (snort3-file-image.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (snort3-file-other.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (snort3-file-other.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (snort3-malware-cnc.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (snort3-server-other.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (snort3-file-other.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (snort3-file-other.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (snort3-file-office.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (snort3-file-office.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (snort3-file-office.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (snort3-server-webapp.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (snort3-file-flash.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (snort3-file-pdf.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (snort3-file-pdf.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (snort3-file-flash.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (snort3-file-office.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (snort3-file-image.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (snort3-file-office.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (snort3-server-webapp.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (snort3-file-office.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (snort3-indicator-compromise.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (snort3-file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (snort3-file-image.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (snort3-policy-other.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (snort3-file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (snort3-file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (snort3-server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (snort3-server-other.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (snort3-protocol-scada.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (snort3-browser-ie.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (snort3-os-windows.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (snort3-browser-ie.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (snort3-os-windows.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (snort3-browser-ie.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (snort3-os-windows.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (snort3-file-image.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (snort3-file-image.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (snort3-file-image.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (snort3-server-other.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (snort3-file-image.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (snort3-browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (snort3-browser-ie.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (snort3-browser-ie.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (snort3-malware-backdoor.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (snort3-file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (snort3-file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (snort3-file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (snort3-file-pdf.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (snort3-file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (snort3-file-office.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (snort3-indicator-compromise.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (snort3-malware-cnc.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (snort3-file-image.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (snort3-server-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (snort3-protocol-scada.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (snort3-server-webapp.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (snort3-file-other.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (snort3-os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (snort3-os-windows.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (snort3-file-image.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (snort3-file-image.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (snort3-file-other.rules)

2020-08-11 17:16:08 UTC

Snort Subscriber Rules Update

Date: 2020-08-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:54752 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54709 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54739 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54754 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54760 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54757 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54748 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54756 <-> DISABLED <-> FILE-OTHER Grub malicious grub.cfg download attempt (file-other.rules)
 * 1:54766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54726 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54711 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54753 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:54755 <-> ENABLED <-> SERVER-ORACLE Oracle Weblogic T3 remote code execution attempt (server-oracle.rules)
 * 1:54768 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54761 <-> DISABLED <-> MALWARE-OTHER Win.Malware.Midie-9242514-0 download attempt (malware-other.rules)
 * 1:54737 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54759 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54749 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54734 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54767 <-> ENABLED <-> SERVER-WEBAPP vBulletin template rendering arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:54765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCPIP kernel driver use-after-free attempt (os-windows.rules)
 * 1:54708 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54747 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54744 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54742 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:54751 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54740 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54745 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI elevation of privilege attempt (os-windows.rules)
 * 1:54743 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:54710 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zusy-9219867-0 download attempt (malware-other.rules)
 * 1:54717 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54718 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Zeroaccess-9220863-0 download attempt (malware-other.rules)
 * 1:54712 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220292-0 download attempt (malware-other.rules)
 * 1:54715 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54713 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54722 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54728 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54735 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54733 <-> DISABLED <-> OS-WINDOWS Microsoft Windows AFD kernel driver privilege escalation attempt (os-windows.rules)
 * 1:54758 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Ap0calypseRAT-9216554-0 download attempt (malware-other.rules)
 * 1:54738 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:54727 <-> DISABLED <-> SERVER-WEBAPP ZoomOpener remote code execution attempt (server-webapp.rules)
 * 1:54725 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.SpyEye-9225535-0 download attempt (malware-other.rules)
 * 1:54723 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54714 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220295-0 download attempt (malware-other.rules)
 * 1:54719 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54720 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Generic-9222527-0 download attempt (malware-other.rules)
 * 1:54721 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221778-0 download attempt (malware-other.rules)
 * 1:54724 <-> DISABLED <-> MALWARE-OTHER Win.Downloader.Banload-9221789-0 download attempt (malware-other.rules)
 * 1:54716 <-> DISABLED <-> MALWARE-OTHER Win.Dropper.Zeus-9220296-0 download attempt (malware-other.rules)
 * 1:54750 <-> DISABLED <-> MALWARE-OTHER Win.Ransomware.Nephilim variant binary download attempt (malware-other.rules)
 * 1:54707 <-> DISABLED <-> MALWARE-OTHER Win.Packed.Agentb-9219640-0 download attempt (malware-other.rules)
 * 1:54736 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Resolver local privilege escalation attempt (os-windows.rules)
 * 1:54741 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:54764 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54731 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)
 * 3:54762 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54729 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54730 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1138 attack attempt (os-other.rules)
 * 3:54763 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1135 attack attempt (policy-other.rules)
 * 3:54732 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2020-1134 attack attempt (os-other.rules)

Modified Rules:


 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45329 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR clear logs request attempt (server-webapp.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:42140 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45322 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR channel information query attempt (server-webapp.rules)
 * 1:42460 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:46704 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:20769 <-> DISABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malicious font file remote code execution attempt (file-other.rules)
 * 1:42459 <-> DISABLED <-> INDICATOR-COMPROMISE Adobe Reader PDF embedded null JPEG image (indicator-compromise.rules)
 * 1:21301 <-> DISABLED <-> FILE-OFFICE Microsoft Office Visio TAG_xxxSect code execution attempt (file-office.rules)
 * 1:42090 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:45321 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR firmware version query attempt (server-webapp.rules)
 * 1:42091 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:44953 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:47185 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:23550 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record stack buffer overflow attempt (file-office.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:46703 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EMR_STRETCHDIBITS size out of bounds read attempt (file-other.rules)
 * 1:47959 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:47960 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF file out-of-bounds write attempt (file-other.rules)
 * 1:45320 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR serial number query attempt (server-webapp.rules)
 * 1:23944 <-> DISABLED <-> SERVER-WEBAPP empty zip file upload attempt (server-webapp.rules)
 * 1:24414 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:50138 <-> ENABLED <-> MALWARE-CNC Win.Dropper.ELECTRICFISH variant outbound connection (malware-cnc.rules)
 * 1:24415 <-> DISABLED <-> FILE-FLASH Adobe Flash Player stsz box heap overflow attempt (file-flash.rules)
 * 1:44954 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds buffer overflow attempt (file-other.rules)
 * 1:51042 <-> DISABLED <-> SERVER-OTHER ZeroMQ libzmq pointer overflow attempt (server-other.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:25294 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:42995 <-> DISABLED <-> PROTOCOL-SCADA Weintek EB Pro denial of service attempt (protocol-scada.rules)
 * 1:25296 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel IPMT record buffer overflow attempt (file-office.rules)
 * 1:51310 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:51311 <-> DISABLED <-> FILE-OFFICE Microsoft Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 1:25376 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:51471 <-> DISABLED <-> POLICY-OTHER Supermicro BMC Virtual Media service default credentials use attempt (policy-other.rules)
 * 1:51874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:42141 <-> ENABLED <-> FILE-IMAGE Corel PHOTO-PAINT X8 GIF Filter Code Execution Vulnerability attempt (file-image.rules)
 * 1:25378 <-> DISABLED <-> FILE-IMAGE Apple QuickTime Targa image file buffer overflow attempt (file-image.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45324 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user password hash query attempt (server-webapp.rules)
 * 1:45693 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK denial of service attempt (server-other.rules)
 * 1:28544 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:28546 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record memory corruption attempt (file-office.rules)
 * 1:29516 <-> DISABLED <-> SERVER-OTHER HP LeftHand Virtual SAN hydra information disclosure attempt (server-other.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:32697 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32698 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32699 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32700 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:32701 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:51876 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DLL Load Configuration Directory out of bounds read attempt (os-windows.rules)
 * 1:32702 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JPEG stack information disclosure attempt (browser-ie.rules)
 * 1:53241 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:53242 <-> DISABLED <-> FILE-IMAGE Microsoft Windows GDI information disclosure attempt (file-image.rules)
 * 1:34500 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection (malware-backdoor.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:45326 <-> DISABLED <-> SERVER-WEBAPP Dahua DVR user group information query attempt (server-webapp.rules)
 * 1:39110 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39111 <-> DISABLED <-> FILE-OFFICE Hancom Hangul Office HCell HncChart out of bounds write attempt (file-office.rules)
 * 1:39687 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:39688 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed embeded TTF file memory corruption attempt (file-pdf.rules)
 * 1:40944 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:40945 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel CrtMlFrt record out of bounds read attempt (file-office.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:54614 <-> DISABLED <-> SERVER-OTHER Zoom client unauthorized user kick attempt (server-other.rules)
 * 1:42332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Doublepulsar variant ping command (malware-cnc.rules)
 * 1:42088 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)
 * 1:47186 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro EMF EmfPlusDrawLines heap overflow attempt (file-pdf.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:42089 <-> DISABLED <-> FILE-IMAGE Corel Photo Paint invalid ImageLength memory corruption attempt (file-image.rules)