Talos Rules 2017-04-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, os-windows, protocol-ftp, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-04-27 15:28:27 UTC

Snort Subscriber Rules Update

Date: 2017-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules)
 * 1:42381 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules)
 * 1:42387 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules)
 * 1:42378 <-> DISABLED <-> SERVER-OTHER Yealink VoIP phone remote code execution attempt (server-other.rules)
 * 1:42401 <-> DISABLED <-> SERVER-WEBAPP multiple product version scan attempt (server-webapp.rules)
 * 1:42389 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules)
 * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound communication (malware-cnc.rules)
 * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules)
 * 1:42383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42377 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules)
 * 1:42392 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42388 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules)
 * 1:42384 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42402 <-> DISABLED <-> SERVER-WEBAPP multiple product command injection attempt (server-webapp.rules)
 * 1:42394 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42393 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42397 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules)
 * 1:42396 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules)
 * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules)
 * 1:42380 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42379 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 3:42399 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)
 * 3:42400 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules)
 * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro hotfix_upload.cgi command injection attempt (server-webapp.rules)
 * 1:16151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules)
 * 1:26694 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Cisco IOS FTP MKD buffer overflow attempt (protocol-ftp.rules)
 * 1:24910 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt (server-mysql.rules)

2017-04-27 15:28:27 UTC

Snort Subscriber Rules Update

Date: 2017-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42377 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules)
 * 1:42392 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules)
 * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules)
 * 1:42388 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules)
 * 1:42389 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules)
 * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules)
 * 1:42387 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules)
 * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound communication (malware-cnc.rules)
 * 1:42384 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42381 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42380 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42393 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42394 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42402 <-> DISABLED <-> SERVER-WEBAPP multiple product command injection attempt (server-webapp.rules)
 * 1:42397 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules)
 * 1:42401 <-> DISABLED <-> SERVER-WEBAPP multiple product version scan attempt (server-webapp.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42379 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42378 <-> DISABLED <-> SERVER-OTHER Yealink VoIP phone remote code execution attempt (server-other.rules)
 * 1:42396 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules)
 * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules)
 * 3:42399 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)
 * 3:42400 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:26694 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules)
 * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro hotfix_upload.cgi command injection attempt (server-webapp.rules)
 * 1:16151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules)
 * 1:24910 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt (server-mysql.rules)
 * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Cisco IOS FTP MKD buffer overflow attempt (protocol-ftp.rules)

2017-04-27 15:28:27 UTC

Snort Subscriber Rules Update

Date: 2017-04-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42402 <-> DISABLED <-> SERVER-WEBAPP multiple product command injection attempt (server-webapp.rules)
 * 1:42401 <-> DISABLED <-> SERVER-WEBAPP multiple product version scan attempt (server-webapp.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42397 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules)
 * 1:42396 <-> DISABLED <-> EXPLOIT-KIT Blacole inbound malformed pdf download attempt (exploit-kit.rules)
 * 1:42395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oddjob outbound connection (malware-cnc.rules)
 * 1:42394 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42393 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42392 <-> DISABLED <-> SERVER-WEBAPP Yealink VoIP phone directory traversal attempt (server-webapp.rules)
 * 1:42391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules)
 * 1:42390 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moarider variant outbound connection attempt (malware-cnc.rules)
 * 1:42389 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules)
 * 1:42388 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules)
 * 1:42387 <-> DISABLED <-> SERVER-WEBAPP DataRate SCADA directory traversal attempt (server-webapp.rules)
 * 1:42386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules)
 * 1:42385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Moonwind outbound communication (malware-cnc.rules)
 * 1:42384 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42383 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42382 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt (server-webapp.rules)
 * 1:42381 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42380 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42379 <-> DISABLED <-> SERVER-WEBAPP OpenCart directory traversal attempt (server-webapp.rules)
 * 1:42378 <-> DISABLED <-> SERVER-OTHER Yealink VoIP phone remote code execution attempt (server-other.rules)
 * 1:42377 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules)
 * 3:42399 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)
 * 3:42400 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0323 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:41032 <-> DISABLED <-> SERVER-WEBAPP Trend Micro hotfix_upload.cgi command injection attempt (server-webapp.rules)
 * 1:16151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized or deleted object access attempt (browser-ie.rules)
 * 1:23055 <-> DISABLED <-> PROTOCOL-FTP Cisco IOS FTP MKD buffer overflow attempt (protocol-ftp.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42339 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory (os-windows.rules)
 * 1:26694 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader dll injection sandbox escape (file-pdf.rules)
 * 1:24910 <-> DISABLED <-> SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt (server-mysql.rules)