Talos Rules 2017-03-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, file-executable, file-office, indicator-obfuscation, malware-cnc, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-03-30 01:00:45 UTC

Snort Subscriber Rules Update

Date: 2017-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42113 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:42114 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant new bot registered (malware-cnc.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42109 <-> DISABLED <-> PROTOCOL-SCADA invalid modbus protocol identifier (protocol-scada.rules)
 * 1:42106 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42105 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42108 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42101 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:42103 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42100 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:42102 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules)
 * 1:42107 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42104 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 3:42112 <-> ENABLED <-> BROWSER-OTHER multiple browsers content security policy bypass attempt (browser-other.rules)

Modified Rules:


 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41109 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:41108 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)

2017-03-30 01:00:45 UTC

Snort Subscriber Rules Update

Date: 2017-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules)
 * 1:42113 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:42109 <-> DISABLED <-> PROTOCOL-SCADA invalid modbus protocol identifier (protocol-scada.rules)
 * 1:42108 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42104 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42105 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42106 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42101 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:42100 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:42107 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42103 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42102 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42114 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant new bot registered (malware-cnc.rules)
 * 3:42112 <-> ENABLED <-> BROWSER-OTHER multiple browsers content security policy bypass attempt (browser-other.rules)

Modified Rules:


 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:41109 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:41108 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)

2017-03-30 01:00:45 UTC

Snort Subscriber Rules Update

Date: 2017-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42114 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant new bot registered (malware-cnc.rules)
 * 1:42113 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42109 <-> DISABLED <-> PROTOCOL-SCADA invalid modbus protocol identifier (protocol-scada.rules)
 * 1:42108 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42107 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42106 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42105 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42104 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42103 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42102 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42101 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:42100 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 3:42112 <-> ENABLED <-> BROWSER-OTHER multiple browsers content security policy bypass attempt (browser-other.rules)

Modified Rules:


 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:41109 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:41108 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)