Talos Rules 2016-12-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-flash, file-office, os-windows, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-12-29 18:55:44 UTC

Snort Subscriber Rules Update

Date: 2016-12-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:41098 <-> DISABLED <-> DELETED 21dd360d-5d6d-4b2c-88e2-d94532364c47 (deleted.rules)
 * 1:41101 <-> DISABLED <-> DELETED eee180b8-fd21-46da-bdda-a2d5f2e34917 (deleted.rules)
 * 1:41099 <-> DISABLED <-> DELETED 907f5746-8b89-4167-a626-66fb07b49056 (deleted.rules)
 * 1:41094 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:41100 <-> DISABLED <-> DELETED a76182f0-e9d5-4f90-940e-72e13d06ccfd (deleted.rules)
 * 1:41106 <-> DISABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 3:41102 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41103 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41097 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0238 attack attempt (server-other.rules)
 * 3:41104 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41105 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:41002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:16409 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules)

2016-12-29 18:55:44 UTC

Snort Subscriber Rules Update

Date: 2016-12-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41106 <-> DISABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41100 <-> DISABLED <-> DELETED a76182f0-e9d5-4f90-940e-72e13d06ccfd (deleted.rules)
 * 1:41101 <-> DISABLED <-> DELETED eee180b8-fd21-46da-bdda-a2d5f2e34917 (deleted.rules)
 * 1:41094 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:41098 <-> DISABLED <-> DELETED 21dd360d-5d6d-4b2c-88e2-d94532364c47 (deleted.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:41099 <-> DISABLED <-> DELETED 907f5746-8b89-4167-a626-66fb07b49056 (deleted.rules)
 * 3:41102 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41097 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0238 attack attempt (server-other.rules)
 * 3:41104 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41105 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41103 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:16409 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules)

2016-12-29 18:55:44 UTC

Snort Subscriber Rules Update

Date: 2016-12-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41106 <-> DISABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41101 <-> DISABLED <-> DELETED eee180b8-fd21-46da-bdda-a2d5f2e34917 (deleted.rules)
 * 1:41100 <-> DISABLED <-> DELETED a76182f0-e9d5-4f90-940e-72e13d06ccfd (deleted.rules)
 * 1:41099 <-> DISABLED <-> DELETED 907f5746-8b89-4167-a626-66fb07b49056 (deleted.rules)
 * 1:41098 <-> DISABLED <-> DELETED 21dd360d-5d6d-4b2c-88e2-d94532364c47 (deleted.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:41094 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 3:41105 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41097 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0238 attack attempt (server-other.rules)
 * 3:41102 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41103 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)
 * 3:41104 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0233 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:16409 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint improper filename remote code execution attempt (file-office.rules)
 * 1:41079 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41078 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 traffic to/from EXTERNAL_NET (protocol-scada.rules)
 * 1:41077 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 unknown ASDU type detected (protocol-scada.rules)
 * 1:41076 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 double command issued (protocol-scada.rules)
 * 1:41075 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 counter interrogation command (protocol-scada.rules)
 * 1:41074 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 clock sync command (protocol-scada.rules)
 * 1:41073 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 bitstring of 32 bits (protocol-scada.rules)
 * 1:41072 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Test command with time tag (protocol-scada.rules)
 * 1:41071 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Step point information (protocol-scada.rules)
 * 1:41070 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single point information (protocol-scada.rules)
 * 1:41069 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Single command (protocol-scada.rules)
 * 1:41068 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Set point command (protocol-scada.rules)
 * 1:41067 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Rest process command (protocol-scada.rules)
 * 1:41066 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Regulating step command (protocol-scada.rules)
 * 1:41065 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Read command (protocol-scada.rules)
 * 1:41064 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Query Log (protocol-scada.rules)
 * 1:41063 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Parameter value (protocol-scada.rules)
 * 1:41062 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Packed start events (protocol-scada.rules)
 * 1:41061 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Measured value (protocol-scada.rules)
 * 1:41060 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 List directory (protocol-scada.rules)
 * 1:41059 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Last section (protocol-scada.rules)
 * 1:41058 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Interrogation command (protocol-scada.rules)
 * 1:41057 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Integrated totals (protocol-scada.rules)
 * 1:41056 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 File ready (protocol-scada.rules)
 * 1:41055 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 End of initialization (protocol-scada.rules)
 * 1:41054 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Double point information (protocol-scada.rules)
 * 1:41053 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 Ack file (protocol-scada.rules)
 * 1:41052 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR CON (protocol-scada.rules)
 * 1:41049 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT ACT (protocol-scada.rules)
 * 1:41051 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 TESTFR ACT (protocol-scada.rules)
 * 1:41048 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT CON (protocol-scada.rules)
 * 1:41050 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STOPDT CON (protocol-scada.rules)
 * 1:41047 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 STARTDT ACT (protocol-scada.rules)
 * 1:41003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 1:41002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime SDK out of bounds read attempt (file-flash.rules)
 * 3:21619 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt (os-windows.rules)