Talos Rules 2022-04-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2022-24474: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59497 through 59498.

Microsoft Vulnerability CVE-2022-24481: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59521 through 59522.

Microsoft Vulnerability CVE-2022-24491: A coding deficiency exists in Microsoft Windows Network File System that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 59534 through 59535.

Microsoft Vulnerability CVE-2022-24497: A coding deficiency exists in Microsoft Windows Network File System that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 59533.

Microsoft Vulnerability CVE-2022-24521: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59523 through 59524.

Microsoft Vulnerability CVE-2022-24542: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59525 through 59526.

Microsoft Vulnerability CVE-2022-24546: A coding deficiency exists in Microsoft DWM Core Library that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59529 through 59530.

Microsoft Vulnerability CVE-2022-24547: A coding deficiency exists in Microsoft Windows Digital Media Receiver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59531 through 59532.

Microsoft Vulnerability CVE-2022-26904: A coding deficiency exists in Microsoft Windows User Profile Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59511 through 59512.

Microsoft Vulnerability CVE-2022-26914: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 59519 through 59520.

Talos also has added and modified multiple rules in the file-image, file-other, malware-cnc, os-windows, protocol-ftp, protocol-other, protocol-scada, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2022-04-12 19:42:57 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091900.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)

Modified Rules:


 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091801.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)

Modified Rules:


 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091701.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)

Modified Rules:


 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)

Modified Rules:


 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)

Modified Rules:


 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)

Modified Rules:


 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (snort3-server-webapp.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (snort3-server-apache.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (snort3-server-webapp.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (snort3-malware-cnc.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (snort3-protocol-other.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (snort3-os-windows.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (snort3-os-windows.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (snort3-server-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (snort3-os-windows.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (snort3-os-windows.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (snort3-file-image.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (snort3-file-image.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (snort3-server-other.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (snort3-os-windows.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (snort3-os-windows.rules)
 * 1:300067 <-> ENABLED <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow (snort3-native.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (snort3-protocol-ftp.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (snort3-server-webapp.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (snort3-file-other.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (snort3-file-other.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (snort3-file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (snort3-file-other.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (snort3-server-webapp.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (snort3-server-webapp.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (snort3-os-windows.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (snort3-server-webapp.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (snort3-os-windows.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (snort3-file-other.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (snort3-os-windows.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (snort3-server-webapp.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (snort3-os-windows.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (snort3-os-windows.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (snort3-file-other.rules)
 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (snort3-file-other.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (snort3-file-image.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (snort3-os-windows.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (snort3-file-image.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (snort3-file-other.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (snort3-server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (snort3-server-webapp.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (snort3-pua-other.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (snort3-file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (snort3-os-windows.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (snort3-server-webapp.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (snort3-server-other.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (snort3-server-webapp.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (snort3-server-webapp.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (snort3-file-other.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (snort3-os-windows.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (snort3-os-windows.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (snort3-server-webapp.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (snort3-os-windows.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (snort3-protocol-scada.rules)

Modified Rules:


 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (snort3-server-webapp.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (snort3-server-webapp.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (snort3-server-webapp.rules)
 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (snort3-server-other.rules)

2022-04-12 19:42:58 UTC

Snort Subscriber Rules Update

Date: 2022-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:59523 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59482 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt (server-webapp.rules)
 * 1:59488 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59531 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59533 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59483 <-> DISABLED <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt (server-webapp.rules)
 * 1:59532 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt (os-windows.rules)
 * 1:59525 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59487 <-> DISABLED <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt (file-image.rules)
 * 1:59489 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59490 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59491 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt (server-webapp.rules)
 * 1:59492 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59529 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59493 <-> DISABLED <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt (file-other.rules)
 * 1:59528 <-> DISABLED <-> PROTOCOL-OTHER cURL libcurl NtLM type 3 stack based buffer overflow attempt (protocol-other.rules)
 * 1:59494 <-> DISABLED <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt (server-other.rules)
 * 1:59495 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59526 <-> DISABLED <-> OS-WINDOWS Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:59496 <-> DISABLED <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt (server-webapp.rules)
 * 1:59497 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59498 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt (os-windows.rules)
 * 1:59499 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:59500 <-> ENABLED <-> PUA-OTHER XMRig cryptocurrency miner outbound connection (pua-other.rules)
 * 1:59501 <-> ENABLED <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection (malware-cnc.rules)
 * 1:59502 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt (os-windows.rules)
 * 1:59503 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59504 <-> DISABLED <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt (file-image.rules)
 * 1:59534 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59505 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59535 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt (os-windows.rules)
 * 1:59506 <-> DISABLED <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt (file-other.rules)
 * 1:59507 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59530 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt (os-windows.rules)
 * 1:59508 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59524 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt (file-other.rules)
 * 1:59484 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt (protocol-scada.rules)
 * 1:59509 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59485 <-> DISABLED <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt (server-other.rules)
 * 1:59510 <-> DISABLED <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt (file-other.rules)
 * 1:59511 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59512 <-> DISABLED <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt (os-windows.rules)
 * 1:59513 <-> DISABLED <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt (server-webapp.rules)
 * 1:59514 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt (server-webapp.rules)
 * 1:59515 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59516 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59517 <-> DISABLED <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt (server-webapp.rules)
 * 1:59518 <-> DISABLED <-> SERVER-OTHER ArcServe D2D getNews XXE attempt (server-other.rules)
 * 1:59519 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59520 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt (os-windows.rules)
 * 1:59486 <-> DISABLED <-> SERVER-APACHE Spark RPC authentication bypass attempt (server-apache.rules)
 * 1:59521 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59522 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt (os-windows.rules)
 * 1:59527 <-> DISABLED <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt (protocol-ftp.rules)

Modified Rules:


 * 1:54032 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:54031 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33448 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54033 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)
 * 1:33447 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:33446 <-> DISABLED <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt (server-webapp.rules)
 * 1:54030 <-> ENABLED <-> SERVER-OTHER SaltStack wheel directory traversal attempt (server-other.rules)

2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.0.3.4.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.0.1.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.1.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.3.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.4.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.5.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.7.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:02 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.9.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:03 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.11.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:03 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.15.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:03 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.18.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:03 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.20.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt


2022-04-12 19:49:03 UTC

Snort Subscriber Rules Update

Date: 2022-04-12-001

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3.1.21.0.

The format of the file is:

gid:sid <-> Message

New Rules:

* 1:300064 <-> FILE-OTHER Microsoft Office ole object external file loading attempt
* 1:300065 <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt
* 1:300066 <-> OS-OTHER Bash CGI environment variable injection attempt
* 1:300067 <-> SERVER-OTHER cURL libcurl NtLM type 3 stack based buffer overflow
* 1:59452 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59453 <-> FILE-OTHER 7-Zip crafted RAR solid compression memory corruption attempt
* 1:59454 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59455 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59456 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59457 <-> FILE-OTHER Perl archive tar arbitrary file overwrite attempt
* 1:59458 <-> SERVER-OTHER strongSwan gmp plugin denial of service attempt
* 1:59459 <-> SERVER-OTHER strongSwan x509 plugin denial of service attempt
* 1:59460 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59461 <-> FILE-OTHER GNU Libextractor ZIP file comment out-of-bounds read attempt
* 1:59462 <-> PROTOCOL-SCADA Rockwell Automation RSLinx Classic buffer overflow attempt
* 1:59463 <-> INDICATOR-SHELLCODE Java object deserialization exploit attempt
* 1:59464 <-> SERVER-OTHER Squid Proxy ESI response processing denial of service attempt
* 1:59465 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59466 <-> FILE-OTHER Fuji Electric V-Server VPR heap buffer overflow attempt
* 1:59467 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59468 <-> FILE-PDF Foxit Reader and PhantonPDF XFA gotoURL command injection attempt
* 1:59469 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59470 <-> FILE-IMAGE JasPer jp2_decode out of bounds read attempt
* 1:59471 <-> SERVER-OTHER Qognify Ocularis Event Coordinator insecure deserialization attempt
* 1:59472 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59473 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:59474 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59475 <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt
* 1:59476 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59477 <-> SERVER-OTHER Advantech WebAccess DCERPC stack buffer overflow attempt
* 1:59480 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59481 <-> SERVER-WEBAPP Apache APISIX default admin API backdoor usage attempt
* 1:59482 <-> SERVER-WEBAPP Oracle Business Intelligencee BIRemotingServlet deserialization remote code execution attempt
* 1:59483 <-> SERVER-WEBAPP GilaCMS arbitrary php file upload attempt
* 1:59484 <-> PROTOCOL-SCADA Schneider Electric IGSS update service arbitrary file read attempt
* 1:59485 <-> SERVER-OTHER MIT Kerberos null pointer dereference attempt
* 1:59486 <-> SERVER-APACHE Spark RPC authentication bypass attempt
* 1:59487 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59488 <-> FILE-IMAGE LibTIFF tiffcrop integer overflow attempt
* 1:59489 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59490 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59491 <-> SERVER-WEBAPP Oracle WebLogic Server FileDistributionServlet information disclosure attempt
* 1:59492 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59493 <-> FILE-OTHER Microsoft Windows GDI memory corruption attempt
* 1:59494 <-> SERVER-OTHER HPE Intelligent Management Center dbman decryptMsgAes buffer overflow attempt
* 1:59495 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59496 <-> SERVER-WEBAPP pfSense ACME Package cross site scripting attempt
* 1:59497 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59498 <-> OS-WINDOWS Microsoft Windows Win32k escalation of privileges attempt
* 1:59499 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:59500 <-> PUA-OTHER XMRig cryptocurrency miner outbound connection
* 1:59501 <-> MALWARE-CNC Win.Infostealer.ZingoStealer outbound connection
* 1:59502 <-> OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt
* 1:59503 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59504 <-> FILE-IMAGE Microsoft Windows asycfilt.dll malformed jpeg buffer overread attempt
* 1:59505 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59506 <-> FILE-OTHER Symantec Norton Antivirus ccScanw.dll Unpack ShortLZ memory corruption attempt
* 1:59507 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59508 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59509 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59510 <-> FILE-OTHER ClamAV OLE2 uniq_add out of bounds write attempt
* 1:59511 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59512 <-> OS-WINDOWS Microsoft Windows User Profile Service privilege escalation attempt
* 1:59513 <-> SERVER-WEBAPP Apache APISIX Dashboard authentication bypass attempt
* 1:59514 <-> SERVER-WEBAPP CentOS Web Panel authentication bypass attempt
* 1:59515 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59516 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59517 <-> SERVER-WEBAPP CentOS Web Panel PHP file injection attempt
* 1:59518 <-> SERVER-OTHER ArcServe D2D getNews XXE attempt
* 1:59519 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59520 <-> OS-WINDOWS Microsoft Windows win32k.sys driver local privilege escalation attempt
* 1:59521 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59522 <-> OS-WINDOWS Microsoft Windows CLFS driver local privilege escalation attempt
* 1:59523 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59524 <-> FILE-OTHER Microsoft Windows CLFS driver privilege escalation attempt
* 1:59525 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59526 <-> OS-WINDOWS Windows Win32k elevation of privilege attempt
* 1:59527 <-> PROTOCOL-FTP uftpd handle_PORT buffer overflow attempt
* 1:59529 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59530 <-> OS-WINDOWS Microsoft Windows DWM Core privilege escalation attempt
* 1:59531 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59532 <-> OS-WINDOWS Microsoft Windows Digital Media Receiver privilege escalation attempt
* 1:59533 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59534 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt
* 1:59535 <-> OS-WINDOWS Microsoft Windows Server portmap.sys out of bounds write attempt

Modified Rules:

* 1:33446 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33447 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 1:33448 <-> SERVER-WEBAPP Symantec Encryption Management Server command injection attempt
* 3:35902 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack command injection attempt
* 3:35903 <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack buffer overflow attempt
* 1:39320 <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt
* 3:45222 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 3:45223 <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt
* 1:46233 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 1:46234 <-> FILE-OFFICE Microsoft JET Database remote code execution attempt
* 3:50117 <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt 
* 1:54030 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54031 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54032 <-> SERVER-OTHER SaltStack wheel directory traversal attempt
* 1:54033 <-> SERVER-OTHER SaltStack wheel directory traversal attempt