Talos Rules 2021-02-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, file-executable, file-image, malware-cnc, os-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (snort3-server-webapp.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (snort3-server-webapp.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (snort3-server-webapp.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (snort3-server-webapp.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (snort3-server-webapp.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (snort3-server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (snort3-os-windows.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (snort3-server-webapp.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (snort3-server-webapp.rules)
 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (snort3-browser-firefox.rules)

Modified Rules:


 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (snort3-file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (snort3-malware-cnc.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (snort3-file-image.rules)

2021-02-18 13:50:07 UTC

Snort Subscriber Rules Update

Date: 2021-02-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57180 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57188 <-> DISABLED <-> SERVER-WEBAPP Hewlett Packard Enterprise Intelligent Management Center arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:57183 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57177 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57176 <-> DISABLED <-> SERVER-WEBAPP MikroTik RouterOS buffer overflow attempt (server-webapp.rules)
 * 1:57181 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Array.prototype.pop type confusion attempt (browser-firefox.rules)
 * 1:57182 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57184 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57193 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TCP/IP Remote Code Execution Vulnerability attempt (os-windows.rules)
 * 1:57179 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 1:57185 <-> ENABLED <-> SERVER-WEBAPP VMware administrative configurator component command injection attempt (server-webapp.rules)
 * 1:57178 <-> DISABLED <-> SERVER-WEBAPP Monstra CMS registration form cross site scripting attempt (server-webapp.rules)
 * 3:57186 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57187 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1250 attack attempt (os-other.rules)
 * 3:57189 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)
 * 3:57190 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2021-1255 attack attempt (file-executable.rules)

Modified Rules:


 * 1:42463 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:42464 <-> DISABLED <-> FILE-IMAGE Foxit Reader malformed DataSubBlock size attempt (file-image.rules)
 * 1:54496 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetSupportManager outbound connection attempt (malware-cnc.rules)
 * 3:55816 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE WebUI administrative access detected (policy-other.rules)