Talos Rules 2021-05-13
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-pdf, malware-cnc, os-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)

Modified Rules:


 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

Modified Rules:


 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (snort3-server-other.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (snort3-server-other.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (snort3-file-pdf.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (snort3-file-pdf.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:300015 <-> ENABLED <-> SERVER-OTHER Cisco IOS HTTP percent sign denial of service attempt (snort3-native.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (snort3-server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (snort3-server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (snort3-server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (snort3-server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (snort3-server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (snort3-server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (snort3-os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (snort3-server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (snort3-server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (snort3-server-apache.rules)

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)