Snort - Network Intrusion Detection & Prevention System

Talos Rules 2019-04-30

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-image, file-other, file-pdf, malware-cnc, malware-other, netbios, os-windows, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

29130

2019-04-30 18:37:36 UTC

Snort Subscriber Rules Update

Date: 2019-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49945 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49944 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49967 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49966 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:49964 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client domain search integer underflow attempt (os-windows.rules)
 * 1:49963 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49962 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49961 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49960 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49959 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49958 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49957 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49956 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:49955 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49954 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49953 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49952 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49951 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49950 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:49946 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49981 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49980 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49976 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49970 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49969 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 3:49978 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49979 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49948 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)
 * 3:49949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:49943 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49942 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)

29120

2019-04-30 18:37:36 UTC

Snort Subscriber Rules Update

Date: 2019-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49951 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49953 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49945 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:49955 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49954 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49950 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49956 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:49957 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49958 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49952 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49976 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49944 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49946 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49981 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49980 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49969 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49970 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49967 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:49966 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49963 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49964 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client domain search integer underflow attempt (os-windows.rules)
 * 1:49961 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49962 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49959 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49960 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 3:49979 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)
 * 3:49978 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49948 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49942 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49943 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)

29111

2019-04-30 18:37:36 UTC

Snort Subscriber Rules Update

Date: 2019-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49952 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49981 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49980 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49976 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49957 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49954 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49951 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49945 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49953 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:49950 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49946 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49955 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49944 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49958 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49956 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:49972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49970 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49969 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49966 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49967 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49964 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client domain search integer underflow attempt (os-windows.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:49962 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49963 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49961 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49960 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49959 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 3:49979 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)
 * 3:49978 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49948 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:49943 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49942 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)

3000

2019-04-30 18:37:36 UTC

Snort Subscriber Rules Update

Date: 2019-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49964 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client domain search integer underflow attempt (snort3-os-windows.rules)
 * 1:49976 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49981 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (snort3-server-other.rules)
 * 1:49958 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (snort3-malware-other.rules)
 * 1:49944 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules)
 * 1:49962 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (snort3-file-image.rules)
 * 1:49951 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (snort3-browser-ie.rules)
 * 1:49980 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (snort3-server-other.rules)
 * 1:49977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (snort3-policy-other.rules)
 * 1:49953 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (snort3-malware-cnc.rules)
 * 1:49959 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (snort3-malware-other.rules)
 * 1:49960 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (snort3-malware-other.rules)
 * 1:49961 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (snort3-malware-other.rules)
 * 1:49955 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (snort3-malware-cnc.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (snort3-server-webapp.rules)
 * 1:49954 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (snort3-malware-cnc.rules)
 * 1:49946 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules)
 * 1:49966 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (snort3-server-webapp.rules)
 * 1:49967 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (snort3-server-webapp.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)
 * 1:49969 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49970 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49956 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (snort3-malware-cnc.rules)
 * 1:49963 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (snort3-file-image.rules)
 * 1:49975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49957 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (snort3-malware-cnc.rules)
 * 1:49952 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (snort3-malware-cnc.rules)
 * 1:49945 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules)
 * 1:49974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (snort3-os-windows.rules)
 * 1:49950 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (snort3-netbios.rules)
 * 1:49943 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)
 * 1:49942 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (snort3-server-oracle.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)
 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (snort3-server-webapp.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (snort3-server-other.rules)

2990

2019-04-30 18:37:36 UTC

Snort Subscriber Rules Update

Date: 2019-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49945 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49946 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49980 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49944 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49957 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49981 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49952 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49953 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49954 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49955 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49956 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:49950 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49964 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client domain search integer underflow attempt (os-windows.rules)
 * 1:49975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49958 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49951 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49976 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49969 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49970 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:49967 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49966 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 1:49959 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49960 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49961 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49962 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:49963 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 3:49978 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)
 * 3:49948 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)
 * 3:49979 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)

Modified Rules:


 * 1:49943 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49942 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)

2983

2019-04-30 18:37:36 UTC

Snort Subscriber Rules Update

Date: 2019-04-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49968 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49977 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49957 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49965 <-> ENABLED <-> SERVER-WEBAPP Atlassian confluence widget remote code execution attempt (server-webapp.rules)
 * 1:49950 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49961 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49946 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49955 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49953 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49980 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49952 <-> ENABLED <-> MALWARE-CNC Win.Downloader.AutoIt outbound connection (malware-cnc.rules)
 * 1:49958 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49959 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49960 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Clop download attempt (malware-other.rules)
 * 1:49954 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website (malware-cnc.rules)
 * 1:49951 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TextData object use after free attempt (browser-ie.rules)
 * 1:49956 <-> ENABLED <-> MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection (malware-cnc.rules)
 * 1:49973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49975 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49944 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49964 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client domain search integer underflow attempt (os-windows.rules)
 * 1:49972 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49945 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:49969 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49981 <-> ENABLED <-> SERVER-OTHER SAP NetWeaver Gateway arbitrary code execution attempt (server-other.rules)
 * 1:49971 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49970 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49967 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49976 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SChannel CertificateVerify buffer overflow attempt (os-windows.rules)
 * 1:49966 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence directory traversal attempt (server-webapp.rules)
 * 1:49947 <-> DISABLED <-> POLICY-OTHER HP OpenView Operations Agent request attempt (policy-other.rules)
 * 3:49979 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49949 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)
 * 3:49978 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0818 attack attempt (file-other.rules)
 * 3:49948 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0817 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:49943 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:39910 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:49942 <-> ENABLED <-> SERVER-ORACLE Oracle WebLogic Server remote command execution attempt (server-oracle.rules)
 * 1:38246 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 1:24972 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request (netbios.rules)
 * 1:38247 <-> DISABLED <-> SERVER-OTHER Flexera FlexNet Publisher stack buffer overflow attempt (server-other.rules)
 * 3:24973 <-> ENABLED <-> NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt (netbios.rules)