Talos Rules 2016-07-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-executable, file-flash, file-pdf, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-07-07 23:39:41 UTC

Snort Subscriber Rules Update

Date: 2016-07-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39474 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt (server-webapp.rules)
 * 1:39465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unlock92 outbound connection attempt (malware-cnc.rules)
 * 1:39458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39477 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt (server-webapp.rules)
 * 1:39468 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39462 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39461 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39460 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39459 <-> DISABLED <-> SERVER-WEBAPP Oracle Web Cache HTTP header null byte injection attempt (server-webapp.rules)
 * 1:39455 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt (file-pdf.rules)
 * 1:39456 <-> DISABLED <-> SERVER-WEBAPP NAS4Free txtPHPCommand remote code execution attempt (server-webapp.rules)
 * 1:39475 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt (server-webapp.rules)
 * 1:39463 <-> ENABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:39464 <-> ENABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:39476 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt (server-webapp.rules)
 * 1:39469 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39470 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39472 <-> DISABLED <-> SERVER-OTHER Jenkins server auto-discovery attempt (server-other.rules)
 * 1:39471 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39454 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt (file-pdf.rules)
 * 1:39453 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:39457 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39473 <-> DISABLED <-> SERVER-WEBAPP Shopware getTemplateName directory traversal attempt (server-webapp.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)

Modified Rules:


 * 1:38310 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39443 <-> DISABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap buffer overflow attempt (server-other.rules)
 * 3:39161 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0174 attack attempt (file-pdf.rules)
 * 3:39162 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0174 attack attempt (file-pdf.rules)

2016-07-07 23:39:41 UTC

Snort Subscriber Rules Update

Date: 2016-07-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39471 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39472 <-> DISABLED <-> SERVER-OTHER Jenkins server auto-discovery attempt (server-other.rules)
 * 1:39469 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39470 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unlock92 outbound connection attempt (malware-cnc.rules)
 * 1:39468 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39464 <-> ENABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:39456 <-> DISABLED <-> SERVER-WEBAPP NAS4Free txtPHPCommand remote code execution attempt (server-webapp.rules)
 * 1:39453 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:39455 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt (file-pdf.rules)
 * 1:39457 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39459 <-> DISABLED <-> SERVER-WEBAPP Oracle Web Cache HTTP header null byte injection attempt (server-webapp.rules)
 * 1:39460 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39461 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39462 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39463 <-> ENABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:39454 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt (file-pdf.rules)
 * 1:39477 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt (server-webapp.rules)
 * 1:39476 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt (server-webapp.rules)
 * 1:39475 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt (server-webapp.rules)
 * 1:39474 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt (server-webapp.rules)
 * 1:39473 <-> DISABLED <-> SERVER-WEBAPP Shopware getTemplateName directory traversal attempt (server-webapp.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)

Modified Rules:


 * 1:38310 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39443 <-> DISABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap buffer overflow attempt (server-other.rules)
 * 3:39161 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0174 attack attempt (file-pdf.rules)
 * 3:39162 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0174 attack attempt (file-pdf.rules)

2016-07-07 23:39:41 UTC

Snort Subscriber Rules Update

Date: 2016-07-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39477 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler port_config SQL injection attempt (server-webapp.rules)
 * 1:39476 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler export_report SQL injection attempt (server-webapp.rules)
 * 1:39475 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler algorithm_settings SQL injection attempt (server-webapp.rules)
 * 1:39474 <-> DISABLED <-> SERVER-WEBAPP Riverbed SteelCentral NetProfiler REST API login SQL injection attempt (server-webapp.rules)
 * 1:39473 <-> DISABLED <-> SERVER-WEBAPP Shopware getTemplateName directory traversal attempt (server-webapp.rules)
 * 1:39472 <-> DISABLED <-> SERVER-OTHER Jenkins server auto-discovery attempt (server-other.rules)
 * 1:39471 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39470 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39469 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39468 <-> DISABLED <-> SERVER-WEBAPP ACTi ASOC command injection attempt (server-webapp.rules)
 * 1:39465 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Unlock92 outbound connection attempt (malware-cnc.rules)
 * 1:39464 <-> ENABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:39463 <-> ENABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:39462 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39461 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39460 <-> DISABLED <-> SERVER-WEBAPP Oracle E-Business Suite SQL injection attempt (server-webapp.rules)
 * 1:39459 <-> DISABLED <-> SERVER-WEBAPP Oracle Web Cache HTTP header null byte injection attempt (server-webapp.rules)
 * 1:39458 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39457 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39456 <-> DISABLED <-> SERVER-WEBAPP NAS4Free txtPHPCommand remote code execution attempt (server-webapp.rules)
 * 1:39455 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt (file-pdf.rules)
 * 1:39454 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader U3D e3_bone object out of bounds memory access attempt (file-pdf.rules)
 * 1:39453 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 3:39466 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)
 * 3:39467 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0182 attack attempt (file-executable.rules)

Modified Rules:


 * 1:38310 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:39399 <-> DISABLED <-> SERVER-WEBAPP Symantec open redirect in external URL .php script attempt (server-webapp.rules)
 * 1:39443 <-> DISABLED <-> PUA-ADWARE Win.Adware.InstallFaster variant outbound connection attempt (pua-adware.rules)
 * 1:39380 <-> DISABLED <-> SERVER-OTHER Symantec MIME parser updateheader heap buffer overflow attempt (server-other.rules)
 * 3:39161 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0174 attack attempt (file-pdf.rules)
 * 3:39162 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0174 attack attempt (file-pdf.rules)