Talos Rules 2017-02-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-flash, file-office, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-02-28 15:49:00 UTC

Snort Subscriber Rules Update

Date: 2017-02-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41737 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41728 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41729 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41739 <-> DISABLED <-> PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt (protocol-scada.rules)
 * 1:41730 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41731 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41741 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules)
 * 1:41736 <-> DISABLED <-> SERVER-OTHER Beck IPC CHIP DoS attempt (server-other.rules)
 * 1:41740 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules)
 * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41742 <-> DISABLED <-> POLICY-OTHER external admin access attempt (policy-other.rules)
 * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)

Modified Rules:


 * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules)
 * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules)
 * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules)
 * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)

2017-02-28 15:49:00 UTC

Snort Subscriber Rules Update

Date: 2017-02-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41739 <-> DISABLED <-> PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt (protocol-scada.rules)
 * 1:41740 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules)
 * 1:41728 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41731 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41730 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41736 <-> DISABLED <-> SERVER-OTHER Beck IPC CHIP DoS attempt (server-other.rules)
 * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41737 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41729 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41742 <-> DISABLED <-> POLICY-OTHER external admin access attempt (policy-other.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41741 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules)
 * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)

Modified Rules:


 * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules)
 * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules)
 * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)

2017-02-28 15:49:00 UTC

Snort Subscriber Rules Update

Date: 2017-02-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41742 <-> DISABLED <-> POLICY-OTHER external admin access attempt (policy-other.rules)
 * 1:41741 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules)
 * 1:41740 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString and valueOf function attempt (file-flash.rules)
 * 1:41739 <-> DISABLED <-> PROTOCOL-SCADA Moxa Mass Config Tool DOS attempt (protocol-scada.rules)
 * 1:41738 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41737 <-> DISABLED <-> PROTOCOL-SCADA Sunway DOS attempt (protocol-scada.rules)
 * 1:41736 <-> DISABLED <-> SERVER-OTHER Beck IPC CHIP DoS attempt (server-other.rules)
 * 1:41735 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41734 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41733 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41732 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security Appliance command injection attempt (server-webapp.rules)
 * 1:41731 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41730 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41729 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 1:41728 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel SXLI record integer overrun attempt (file-office.rules)
 * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)

Modified Rules:


 * 1:41382 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41380 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41381 <-> DISABLED <-> SERVER-OTHER OpenLDAP BER Message denial of service attempt (server-other.rules)
 * 1:41722 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt (server-other.rules)
 * 1:41723 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt (server-other.rules)
 * 1:41724 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt (server-other.rules)
 * 1:41725 <-> ENABLED <-> SERVER-OTHER Cisco IOS Smart Install protocol version command attempt (server-other.rules)
 * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)