Talos Rules 2017-01-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-pdf, os-other, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-01-12 19:52:08 UTC

Snort Subscriber Rules Update

Date: 2017-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules)
 * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41214 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movieclip use after free attempt (file-flash.rules)
 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41207 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt (file-flash.rules)
 * 1:41215 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41208 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt (file-flash.rules)
 * 3:41195 <-> ENABLED <-> PROTOCOL-SNMP Cisco IP routing configuration manipulation via SNMP attempt (protocol-snmp.rules)
 * 3:41196 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 attack attempt (file-pdf.rules)
 * 3:41220 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41197 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 attack attempt (file-pdf.rules)
 * 3:41206 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0266 attack attempt (server-other.rules)
 * 3:41209 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0267 attack attempt (server-other.rules)
 * 3:41216 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0268 attack attempt (server-other.rules)
 * 3:41212 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0264 attack attempt (server-other.rules)
 * 3:41221 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0230 attack attempt (server-webapp.rules)
 * 3:41222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0240 attack attempt (server-webapp.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)
 * 3:41219 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0263 attack attempt (server-other.rules)
 * 3:41217 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2016-0257 TALOS-2016-0258 attack attempt (os-other.rules)
 * 3:41218 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2016-0257 TALOS-2016-0258 attack attempt (os-other.rules)

Modified Rules:


 * 1:40987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40573 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:40670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40574 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)

2017-01-12 19:52:08 UTC

Snort Subscriber Rules Update

Date: 2017-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41208 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt (file-flash.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41214 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movieclip use after free attempt (file-flash.rules)
 * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules)
 * 1:41215 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41207 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt (file-flash.rules)
 * 3:41220 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41221 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0230 attack attempt (server-webapp.rules)
 * 3:41219 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0263 attack attempt (server-other.rules)
 * 3:41216 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0268 attack attempt (server-other.rules)
 * 3:41222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0240 attack attempt (server-webapp.rules)
 * 3:41195 <-> ENABLED <-> PROTOCOL-SNMP Cisco IP routing configuration manipulation via SNMP attempt (protocol-snmp.rules)
 * 3:41196 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 attack attempt (file-pdf.rules)
 * 3:41197 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 attack attempt (file-pdf.rules)
 * 3:41206 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0266 attack attempt (server-other.rules)
 * 3:41209 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0267 attack attempt (server-other.rules)
 * 3:41212 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0264 attack attempt (server-other.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)
 * 3:41217 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2016-0257 TALOS-2016-0258 attack attempt (os-other.rules)
 * 3:41218 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2016-0257 TALOS-2016-0258 attack attempt (os-other.rules)

Modified Rules:


 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40574 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:40669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40573 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)

2017-01-12 19:52:08 UTC

Snort Subscriber Rules Update

Date: 2017-01-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41215 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movie clip use after free attempt (file-flash.rules)
 * 1:41214 <-> DISABLED <-> FILE-FLASH Adobe Flash Player onSetFocus movieclip use after free attempt (file-flash.rules)
 * 1:41211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:41208 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt (file-flash.rules)
 * 1:41207 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed PlaceObject3 memory corruption attempt (file-flash.rules)
 * 1:41205 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules)
 * 1:41204 <-> DISABLED <-> FILE-PDF Adobe Reader XSL type confusion attempt (file-pdf.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41201 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41200 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41199 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 1:41198 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat TIFF Software tag heap buffer overflow attempt (file-image.rules)
 * 3:41216 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0268 attack attempt (server-other.rules)
 * 3:41222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0240 attack attempt (server-webapp.rules)
 * 3:41195 <-> ENABLED <-> PROTOCOL-SNMP Cisco IP routing configuration manipulation via SNMP attempt (protocol-snmp.rules)
 * 3:41223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0230 attack attempt (server-webapp.rules)
 * 3:41196 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 attack attempt (file-pdf.rules)
 * 3:41197 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0226 attack attempt (file-pdf.rules)
 * 3:41206 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0266 attack attempt (server-other.rules)
 * 3:41209 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0267 attack attempt (server-other.rules)
 * 3:41212 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0264 attack attempt (server-other.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)
 * 3:41221 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41220 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2016-0234 attack attempt (server-webapp.rules)
 * 3:41219 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0263 attack attempt (server-other.rules)
 * 3:41217 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2016-0257 TALOS-2016-0258 attack attempt (os-other.rules)
 * 3:41218 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2016-0257 TALOS-2016-0258 attack attempt (os-other.rules)

Modified Rules:


 * 1:41045 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:41046 <-> DISABLED <-> FILE-FLASH Adobe Flash Player TextField setter use after free attempt (file-flash.rules)
 * 1:40986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer title integer overflow attempt (browser-ie.rules)
 * 1:40669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:40573 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:40574 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA resolveNode memory corruption attempt (file-pdf.rules)
 * 1:39273 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)
 * 1:39274 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF heap overflow attempt (file-flash.rules)