Snort - Network Intrusion Detection & Prevention System

Talos Rules 2017-04-18

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-identify, file-other, file-pdf, indicator-scan, os-solaris, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2017-04-19 02:01:21 UTC

Snort Subscriber Rules Update

Date: 2017-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42282 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42283 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42288 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42284 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt (protocol-scada.rules)
 * 1:42261 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42259 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42257 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42281 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42258 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42260 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42287 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42262 <-> ENABLED <-> FILE-IDENTIFY ISO file download request (file-identify.rules)
 * 1:42275 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42276 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules)
 * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 3:42290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0316 attack attempt (server-webapp.rules)
 * 3:42277 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42278 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42274 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42273 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)

Modified Rules:


 * 1:41984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)

2983

2017-04-19 02:01:21 UTC

Snort Subscriber Rules Update

Date: 2017-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42258 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42259 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42282 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42281 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42276 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42275 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42283 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42284 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt (protocol-scada.rules)
 * 1:42260 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42287 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42261 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42262 <-> ENABLED <-> FILE-IDENTIFY ISO file download request (file-identify.rules)
 * 1:42288 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42257 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules)
 * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules)
 * 3:42278 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0316 attack attempt (server-webapp.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42273 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42274 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42277 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)

Modified Rules:


 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)

2990

2017-04-19 02:01:21 UTC

Snort Subscriber Rules Update

Date: 2017-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules)
 * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules)
 * 1:42288 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42287 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42284 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt (protocol-scada.rules)
 * 1:42283 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42282 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42281 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42276 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42275 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42262 <-> ENABLED <-> FILE-IDENTIFY ISO file download request (file-identify.rules)
 * 1:42261 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42260 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42259 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42258 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42257 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 3:42278 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42274 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42277 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42273 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0316 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)