Snort - Network Intrusion Detection & Prevention System

Talos Rules 2018-03-01

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-other, file-pdf, indicator-obfuscation, os-windows, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2018-03-01 15:38:38 UTC

Snort Subscriber Rules Update

Date: 2018-03-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45807 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45805 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45811 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 1:45806 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45797 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45809 <-> DISABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45812 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45810 <-> ENABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45785 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 1:45799 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45795 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45815 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45798 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45800 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45796 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45780 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45781 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45775 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45776 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 1:45777 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 1:45778 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45779 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45808 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45814 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45802 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:45804 <-> DISABLED <-> SERVER-OTHER Disk Savvy Enterprise buffer overflow attempt (server-other.rules)
 * 1:45792 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45803 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:45794 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45801 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45793 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45790 <-> ENABLED <-> SERVER-WEBAPP Jenkins Java SignedObject deserialization command execution attempt (server-webapp.rules)
 * 1:45791 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45784 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 3:45813 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager information disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)

2990

2018-03-01 15:38:38 UTC

Snort Subscriber Rules Update

Date: 2018-03-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45811 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 1:45776 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 1:45805 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45806 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45808 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45812 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 1:45815 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45807 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45814 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45780 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45781 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45784 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 1:45785 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45809 <-> DISABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45810 <-> ENABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45790 <-> ENABLED <-> SERVER-WEBAPP Jenkins Java SignedObject deserialization command execution attempt (server-webapp.rules)
 * 1:45791 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45792 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45793 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45794 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45795 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45796 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45797 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45798 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45777 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 1:45779 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45775 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45778 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45804 <-> DISABLED <-> SERVER-OTHER Disk Savvy Enterprise buffer overflow attempt (server-other.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45799 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45800 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45801 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45802 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:45803 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 3:45813 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager information disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)

3000

2018-03-01 15:38:38 UTC

Snort Subscriber Rules Update

Date: 2018-03-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45775 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45807 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (snort3-os-windows.rules)
 * 1:45815 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (snort3-file-image.rules)
 * 1:45814 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (snort3-file-image.rules)
 * 1:45812 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (snort3-file-other.rules)
 * 1:45811 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (snort3-file-other.rules)
 * 1:45810 <-> ENABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (snort3-indicator-obfuscation.rules)
 * 1:45808 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (snort3-os-windows.rules)
 * 1:45809 <-> DISABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (snort3-indicator-obfuscation.rules)
 * 1:45806 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45777 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (snort3-file-other.rules)
 * 1:45778 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (snort3-server-other.rules)
 * 1:45779 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (snort3-server-other.rules)
 * 1:45780 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (snort3-file-other.rules)
 * 1:45776 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (snort3-file-other.rules)
 * 1:45781 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (snort3-file-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (snort3-file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (snort3-file-other.rules)
 * 1:45784 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45785 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-image.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-image.rules)
 * 1:45790 <-> ENABLED <-> SERVER-WEBAPP Jenkins Java SignedObject deserialization command execution attempt (snort3-server-webapp.rules)
 * 1:45791 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (snort3-file-image.rules)
 * 1:45792 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (snort3-file-image.rules)
 * 1:45793 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (snort3-file-other.rules)
 * 1:45794 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (snort3-file-other.rules)
 * 1:45795 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:45796 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:45797 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:45798 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:45799 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:45805 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:45800 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:45801 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (snort3-server-other.rules)
 * 1:45802 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:45803 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:45804 <-> DISABLED <-> SERVER-OTHER Disk Savvy Enterprise buffer overflow attempt (snort3-server-other.rules)

Modified Rules:


 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (snort3-server-samba.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (snort3-file-other.rules)

29110

2018-03-01 15:38:38 UTC

Snort Subscriber Rules Update

Date: 2018-03-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45807 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45806 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45805 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45780 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45781 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45784 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 1:45785 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45790 <-> ENABLED <-> SERVER-WEBAPP Jenkins Java SignedObject deserialization command execution attempt (server-webapp.rules)
 * 1:45791 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45792 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45793 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45794 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45795 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45796 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45797 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45798 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45799 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45800 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45801 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45802 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:45804 <-> DISABLED <-> SERVER-OTHER Disk Savvy Enterprise buffer overflow attempt (server-other.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45803 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:45808 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45811 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 1:45810 <-> ENABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45809 <-> DISABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45814 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45812 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 1:45815 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45775 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45778 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45779 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45776 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 1:45777 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 3:45813 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager information disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)

29111

2018-03-01 15:38:38 UTC

Snort Subscriber Rules Update

Date: 2018-03-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45795 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45794 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45793 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro nested IFD out of bounds read attempt (file-other.rules)
 * 1:45792 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45791 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF malformed YCbCrCoefficients values attempt (file-image.rules)
 * 1:45790 <-> ENABLED <-> SERVER-WEBAPP Jenkins Java SignedObject deserialization command execution attempt (server-webapp.rules)
 * 1:45789 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45788 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-image.rules)
 * 1:45787 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45786 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45785 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 1:45784 <-> DISABLED <-> FILE-PDF Adobe Reader annotation object out of bounds read attempt (file-pdf.rules)
 * 1:45783 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45782 <-> ENABLED <-> FILE-OTHER EMF EmrText object out of bounds read attempt (file-other.rules)
 * 1:45781 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45780 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS out of bounds read attempt (file-other.rules)
 * 1:45779 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45778 <-> ENABLED <-> SERVER-OTHER Jackson databind deserialization remote code execution attempt (server-other.rules)
 * 1:45777 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 1:45776 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file malformed Source attribute buffer overflow attempt (file-other.rules)
 * 1:45775 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45811 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 1:45810 <-> ENABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45809 <-> DISABLED <-> INDICATOR-OBFUSCATION Coinhive cryptocurrency miner obfuscated detected  (indicator-obfuscation.rules)
 * 1:45808 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45807 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GetThreadContext kernel memory leak attempt (os-windows.rules)
 * 1:45806 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45805 <-> DISABLED <-> SERVER-WEBAPP HP IMC guiDataDetail Java expression language injection attempt (server-webapp.rules)
 * 1:45804 <-> DISABLED <-> SERVER-OTHER Disk Savvy Enterprise buffer overflow attempt (server-other.rules)
 * 1:45803 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:45802 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:45801 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45800 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45799 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45798 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45797 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45796 <-> DISABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:45815 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45814 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG tag data buffer overflow attempt (file-image.rules)
 * 1:45812 <-> ENABLED <-> FILE-OTHER EMF embedded image out of bound read attempt (file-other.rules)
 * 3:45813 <-> ENABLED <-> SERVER-WEBAPP Cisco Unified Communications Manager information disclosure attempt (server-webapp.rules)

Modified Rules:


 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)