Snort - Network Intrusion Detection & Prevention System

Talos Rules 2019-04-18

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-office, file-other, policy-other, protocol-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29130

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)

Modified Rules:


 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)

29120

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)

29111

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)

3000

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (snort3-browser-ie.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (snort3-browser-ie.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (snort3-file-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (snort3-server-other.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (snort3-file-other.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (snort3-browser-ie.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (snort3-browser-ie.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (snort3-policy-other.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (snort3-server-other.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (snort3-file-other.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (snort3-browser-ie.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (snort3-browser-plugins.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (snort3-file-other.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (snort3-server-webapp.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (snort3-browser-plugins.rules)

2990

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)

Modified Rules:


 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)

2983

2019-04-18 12:15:04 UTC

Snort Subscriber Rules Update

Date: 2019-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49863 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49878 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49880 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha1 integer overflow attempt detected (server-other.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49870 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49868 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49876 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49861 <-> ENABLED <-> SERVER-WEBAPP Microsoft SharePoint EntityInstanceIdEncoder remote code execution attempt (server-webapp.rules)
 * 1:49875 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49881 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with md5 integer overflow attempt detected (server-other.rules)
 * 1:49865 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49882 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha256 integer overflow attempt detected (server-other.rules)
 * 1:49862 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:49869 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:49871 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CQuotes use-after-free attempt (browser-ie.rules)
 * 1:49873 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49874 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49872 <-> DISABLED <-> SERVER-OTHER Drager X-Dock dxmanager denial of service attempt (server-other.rules)
 * 1:49860 <-> DISABLED <-> POLICY-OTHER TP-Link TL-WA850RE remote reboot attempt (policy-other.rules)
 * 1:49877 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49884 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha512 integer overflow attempt detected (server-other.rules)
 * 1:49883 <-> DISABLED <-> SERVER-OTHER Corosync 2.3+ with sha384 integer overflow attempt detected (server-other.rules)
 * 3:49854 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49855 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0803 attack attempt (protocol-other.rules)
 * 3:49857 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49852 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49879 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller IAPP message denial of service attempt (server-other.rules)
 * 3:49867 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49853 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0805 attack attempt (file-office.rules)
 * 3:49866 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:49858 <-> ENABLED <-> PROTOCOL-VOIP Cisco VCS exponential XML entity expansion attack attempt (protocol-voip.rules)
 * 3:49856 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0801 attack attempt (file-other.rules)
 * 3:49859 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller cross site request forgery attempt (server-webapp.rules)

Modified Rules:


 * 1:31334 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:40880 <-> DISABLED <-> SERVER-WEBAPP Moxa AWK-3131A invalid HTTP request denial of service attempt (server-webapp.rules)
 * 1:48969 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file remote code execution attempt (file-other.rules)
 * 1:31333 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 8.5 ActiveX clsid access (browser-plugins.rules)
 * 1:40950 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:40949 <-> DISABLED <-> BROWSER-IE Microsoft Edge SIMD memory corruption attempt (browser-ie.rules)
 * 1:31336 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:31335 <-> DISABLED <-> BROWSER-PLUGINS IBM iNotes version 9 ActiveX clsid access (browser-plugins.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)