Talos Rules 2017-01-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-image, file-office, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-01-06 00:58:28 UTC

Snort Subscriber Rules Update

Date: 2017-01-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41119 <-> DISABLED <-> SERVER-WEBAPP SourceBans advsearch banlist cross site scripting attempt (server-webapp.rules)
 * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules)
 * 1:41136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41123 <-> ENABLED <-> BLACKLIST DNS request for known malware domain efax.pfdregistry.net (blacklist.rules)
 * 1:41124 <-> ENABLED <-> BLACKLIST DNS request for known malware domain insta.reduct.ru (blacklist.rules)
 * 1:41125 <-> ENABLED <-> BLACKLIST DNS request for known malware domain littjohnwilhap.ru (blacklist.rules)
 * 1:41126 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymodule.waterfilter.in.ua (blacklist.rules)
 * 1:41127 <-> ENABLED <-> BLACKLIST DNS request for known malware domain one2shoppee.com (blacklist.rules)
 * 1:41128 <-> ENABLED <-> BLACKLIST DNS request for known malware domain private.directinvesting.com (blacklist.rules)
 * 1:41129 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ritsoperrol.ru (blacklist.rules)
 * 1:41130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wilcarobbe.com (blacklist.rules)
 * 1:41131 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.cderlearn.com (blacklist.rules)
 * 1:41132 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules)
 * 1:41133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)

Modified Rules:


 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules)
 * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type image containing Portable Executable data (indicator-compromise.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:26851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)

2017-01-06 00:58:28 UTC

Snort Subscriber Rules Update

Date: 2017-01-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wilcarobbe.com (blacklist.rules)
 * 1:41132 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules)
 * 1:41129 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ritsoperrol.ru (blacklist.rules)
 * 1:41128 <-> ENABLED <-> BLACKLIST DNS request for known malware domain private.directinvesting.com (blacklist.rules)
 * 1:41127 <-> ENABLED <-> BLACKLIST DNS request for known malware domain one2shoppee.com (blacklist.rules)
 * 1:41125 <-> ENABLED <-> BLACKLIST DNS request for known malware domain littjohnwilhap.ru (blacklist.rules)
 * 1:41126 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymodule.waterfilter.in.ua (blacklist.rules)
 * 1:41123 <-> ENABLED <-> BLACKLIST DNS request for known malware domain efax.pfdregistry.net (blacklist.rules)
 * 1:41124 <-> ENABLED <-> BLACKLIST DNS request for known malware domain insta.reduct.ru (blacklist.rules)
 * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41119 <-> DISABLED <-> SERVER-WEBAPP SourceBans advsearch banlist cross site scripting attempt (server-webapp.rules)
 * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules)
 * 1:41131 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.cderlearn.com (blacklist.rules)
 * 1:41135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)

Modified Rules:


 * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type image containing Portable Executable data (indicator-compromise.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules)
 * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:26851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)

2017-01-06 00:58:28 UTC

Snort Subscriber Rules Update

Date: 2017-01-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41136 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41135 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41134 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41133 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant compromise download attempt (malware-cnc.rules)
 * 1:41132 <-> DISABLED <-> FILE-OFFICE RTF file with embedded OLE object (file-office.rules)
 * 1:41131 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.cderlearn.com (blacklist.rules)
 * 1:41130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wilcarobbe.com (blacklist.rules)
 * 1:41129 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ritsoperrol.ru (blacklist.rules)
 * 1:41128 <-> ENABLED <-> BLACKLIST DNS request for known malware domain private.directinvesting.com (blacklist.rules)
 * 1:41127 <-> ENABLED <-> BLACKLIST DNS request for known malware domain one2shoppee.com (blacklist.rules)
 * 1:41126 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mymodule.waterfilter.in.ua (blacklist.rules)
 * 1:41125 <-> ENABLED <-> BLACKLIST DNS request for known malware domain littjohnwilhap.ru (blacklist.rules)
 * 1:41124 <-> ENABLED <-> BLACKLIST DNS request for known malware domain insta.reduct.ru (blacklist.rules)
 * 1:41123 <-> ENABLED <-> BLACKLIST DNS request for known malware domain efax.pfdregistry.net (blacklist.rules)
 * 1:41122 <-> ENABLED <-> BLACKLIST DNS request for known malware domain editprod.waterfilter.in.ua (blacklist.rules)
 * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41119 <-> DISABLED <-> SERVER-WEBAPP SourceBans advsearch banlist cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:38946 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:40522 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting (malware-cnc.rules)
 * 1:39729 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type image containing Portable Executable data (indicator-compromise.rules)
 * 1:39006 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39005 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:26851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 5 compatibility mode use after free attempt (browser-ie.rules)
 * 1:39004 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:32867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:32868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader resampling invalid graphic matrix value attempt (file-pdf.rules)
 * 1:35519 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:35520 <-> ENABLED <-> FILE-OTHER Microsoft Windows kernel-mode driver TTF file glyf table out of bounds attempt (file-other.rules)
 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data (indicator-compromise.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38871 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39003 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38945 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39001 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39000 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:39002 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38948 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38947 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)