Talos Rules 2016-11-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-executable, file-pdf, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-11-29 23:20:11 UTC

Snort Subscriber Rules Update

Date: 2016-11-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40883 <-> ENABLED <-> SERVER-WEBAPP WordPress XMLRPC pingback ddos attempt (server-webapp.rules)
 * 1:40048 <-> DISABLED <-> DELETED SERVER-OTHER Cisco ACE SSL Client Hello with excessive length denial of service attempt (deleted.rules)
 * 1:40880 <-> DISABLED <-> DELETED edaec1f2-b660-11e6-8e1c-23d9e3ca6b29 (deleted.rules)
 * 1:40876 <-> DISABLED <-> SERVER-OTHER Pidgin MXIT file transfer length memory disclosure attempt (server-other.rules)
 * 1:40881 <-> DISABLED <-> SERVER-WEBAPP Wordpress Symposium get_album_item.php SQL injection attempt (server-webapp.rules)
 * 1:40882 <-> DISABLED <-> SERVER-WEBAPP Wordpress Symposium get_album_item.php SQL injection attempt (server-webapp.rules)
 * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
 * 3:40873 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)
 * 3:40872 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)
 * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
 * 3:40875 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)
 * 3:40877 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules)
 * 3:40874 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40618 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:20178 <-> DISABLED <-> PROTOCOL-SCADA RSLogix rna protocol denial of service attempt (protocol-scada.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:40619 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:36379 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)

2016-11-29 23:20:11 UTC

Snort Subscriber Rules Update

Date: 2016-11-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40883 <-> ENABLED <-> SERVER-WEBAPP WordPress XMLRPC pingback ddos attempt (server-webapp.rules)
 * 1:40882 <-> DISABLED <-> SERVER-WEBAPP Wordpress Symposium get_album_item.php SQL injection attempt (server-webapp.rules)
 * 1:40881 <-> DISABLED <-> SERVER-WEBAPP Wordpress Symposium get_album_item.php SQL injection attempt (server-webapp.rules)
 * 1:40880 <-> DISABLED <-> DELETED edaec1f2-b660-11e6-8e1c-23d9e3ca6b29 (deleted.rules)
 * 1:40876 <-> DISABLED <-> SERVER-OTHER Pidgin MXIT file transfer length memory disclosure attempt (server-other.rules)
 * 1:40048 <-> DISABLED <-> DELETED SERVER-OTHER Cisco ACE SSL Client Hello with excessive length denial of service attempt (deleted.rules)
 * 3:40872 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)
 * 3:40873 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)
 * 3:40879 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
 * 3:40878 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-CAN-0188 attack attempt (file-executable.rules)
 * 3:40877 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine SSL handshake parsing denial of service attempt (server-other.rules)
 * 3:40874 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)
 * 3:40875 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0228 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40618 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:40619 <-> ENABLED <-> FILE-PDF Adobe Reader XML Metadata memory corruption attempt (file-pdf.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:20178 <-> DISABLED <-> PROTOCOL-SCADA RSLogix rna protocol denial of service attempt (protocol-scada.rules)
 * 1:36379 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)