Talos Rules 2017-04-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-04-20 16:50:55 UTC

Snort Subscriber Rules Update

Date: 2017-04-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42307 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules)
 * 1:42308 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules)
 * 1:42296 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules)
 * 1:42299 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules)
 * 1:42298 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules)
 * 1:42301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu inbound server configuration response (malware-cnc.rules)
 * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection attempt (malware-cnc.rules)
 * 1:42303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound file download attempt (malware-cnc.rules)
 * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules)
 * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules)
 * 1:42306 <-> DISABLED <-> SERVER-WEBAPP xArrow webserver denial of service attempt (server-webapp.rules)
 * 1:42294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt (os-windows.rules)
 * 1:42309 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules)
 * 1:42295 <-> DISABLED <-> SERVER-WEBAPP Events HMI information disclosure attempt (server-webapp.rules)
 * 1:42310 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules)
 * 3:42293 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager SIP NOTIFY denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)

2017-04-20 16:50:55 UTC

Snort Subscriber Rules Update

Date: 2017-04-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42307 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules)
 * 1:42298 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt (os-windows.rules)
 * 1:42297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules)
 * 1:42296 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules)
 * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules)
 * 1:42295 <-> DISABLED <-> SERVER-WEBAPP Events HMI information disclosure attempt (server-webapp.rules)
 * 1:42299 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules)
 * 1:42301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu inbound server configuration response (malware-cnc.rules)
 * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection attempt (malware-cnc.rules)
 * 1:42303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound file download attempt (malware-cnc.rules)
 * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules)
 * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules)
 * 1:42306 <-> DISABLED <-> SERVER-WEBAPP xArrow webserver denial of service attempt (server-webapp.rules)
 * 1:42310 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42309 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules)
 * 1:42308 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules)
 * 3:42293 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager SIP NOTIFY denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules)
 * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)

2017-04-20 16:50:55 UTC

Snort Subscriber Rules Update

Date: 2017-04-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42310 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules)
 * 1:42309 <-> ENABLED <-> FILE-PDF Adobe Acrobat embedded JPEG2000 invalid header out of bounds memory access attempt (file-pdf.rules)
 * 1:42308 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules)
 * 1:42307 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF out of bounds memory access attempt (file-pdf.rules)
 * 1:42306 <-> DISABLED <-> SERVER-WEBAPP xArrow webserver denial of service attempt (server-webapp.rules)
 * 1:42305 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules)
 * 1:42304 <-> DISABLED <-> FILE-OTHER fwpuclnt dll-load exploit attempt (file-other.rules)
 * 1:42303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound file download attempt (malware-cnc.rules)
 * 1:42302 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu outbound connection attempt (malware-cnc.rules)
 * 1:42301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuaibu inbound server configuration response (malware-cnc.rules)
 * 1:42300 <-> DISABLED <-> SERVER-WEBAPP SensorIP2 default credentials enumeration attempt (server-webapp.rules)
 * 1:42299 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42298 <-> DISABLED <-> FILE-PDF Adobe PDF PPKLite security handler memory corruption vulnerability attempt (file-pdf.rules)
 * 1:42297 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules)
 * 1:42296 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed PRC file out of bounds read attempt (file-pdf.rules)
 * 1:42295 <-> DISABLED <-> SERVER-WEBAPP Events HMI information disclosure attempt (server-webapp.rules)
 * 1:42294 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 WriteAndX and TransSecondaryRequest TotalDataCount out of bounds write attempt (os-windows.rules)
 * 1:42292 <-> DISABLED <-> INDICATOR-COMPROMISE malicious javascript obfuscation detected (indicator-compromise.rules)
 * 3:42293 <-> ENABLED <-> PROTOCOL-VOIP Cisco Unified Communications Manager SIP NOTIFY denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules)
 * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)