Snort - Network Intrusion Detection & Prevention System

Talos Rules 2021-05-13

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-pdf, malware-cnc, os-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29171

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

29170

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)

29161

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

29160

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)

Modified Rules:


 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)

29151

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)

29150

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)

Modified Rules:


 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)

29141

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)

29130

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

29111

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)

3000

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (snort3-server-other.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (snort3-server-other.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (snort3-file-pdf.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (snort3-file-pdf.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (snort3-malware-cnc.rules)
 * 1:300015 <-> ENABLED <-> SERVER-OTHER Cisco IOS HTTP percent sign denial of service attempt (snort3-native.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (snort3-server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (snort3-server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (snort3-server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (snort3-server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (snort3-server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (snort3-server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (snort3-server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (snort3-os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (snort3-server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (snort3-server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (snort3-server-apache.rules)

2983

2021-05-13 12:31:53 UTC

Snort Subscriber Rules Update

Date: 2021-05-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57568 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57569 <-> DISABLED <-> SERVER-OTHER Oracle Java PhantomReference object handling memory corruption attempt (server-other.rules)
 * 1:57561 <-> ENABLED <-> MALWARE-CNC Win.Spyware.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57565 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57564 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57553 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57563 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:57555 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57566 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57556 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57567 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC Annots.api setProps use-after-free attempt (file-pdf.rules)
 * 1:57554 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)
 * 1:57558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrimsonRat outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:30031 <-> DISABLED <-> SERVER-WEBAPP IBM Lotus Domino stack buffer overflow attempt (server-webapp.rules)
 * 1:32261 <-> DISABLED <-> SERVER-WEBAPP PineApp Mail-SeCure conflivelog.pl install license command injection attempt (server-webapp.rules)
 * 1:36461 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost sadminpwd buffer overflow attempt (server-other.rules)
 * 1:36462 <-> DISABLED <-> SERVER-OTHER Novell eDirectory DHost verifypwd buffer overflow attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file upload attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file delete attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Apache ActiveMQ fileserver broker service file move attempt (server-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43388 <-> DISABLED <-> OS-OTHER Apple OSX CFNetwork HTTP response denial of service attempt (os-other.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:51547 <-> DISABLED <-> SERVER-APACHE Apache cookie logging denial of service attempt (server-apache.rules)