Talos Rules 2017-05-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-05-23 15:39:12 UTC

Snort Subscriber Rules Update

Date: 2017-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42962 <-> DISABLED <-> SERVER-WEBAPP Java Hibernate Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42953 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules)
 * 1:42951 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules)
 * 1:42954 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules)
 * 1:42956 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules)
 * 1:42957 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules)
 * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules)
 * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42960 <-> DISABLED <-> SERVER-WEBAPP Java BeanShell Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42963 <-> DISABLED <-> SERVER-WEBAPP Java Mozilla Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42964 <-> DISABLED <-> SERVER-WEBAPP Java MyFaces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42965 <-> DISABLED <-> SERVER-WEBAPP Java RMI Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42966 <-> DISABLED <-> SERVER-WEBAPP Java URLDNS Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42967 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules)
 * 1:42968 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules)
 * 1:42969 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
 * 1:42952 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules)
 * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection attempt (malware-cnc.rules)
 * 1:42955 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance upload.cgi directory traversal attempt (server-webapp.rules)
 * 1:42972 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
 * 1:42970 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
 * 1:42971 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)

Modified Rules:


 * 1:42044 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42045 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules)
 * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
 * 3:42433 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
 * 3:42434 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)

2017-05-23 15:39:12 UTC

Snort Subscriber Rules Update

Date: 2017-05-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42972 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
 * 1:42971 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
 * 1:42970 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
 * 1:42969 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader javascript engine stack overflow attempt (file-pdf.rules)
 * 1:42968 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules)
 * 1:42967 <-> DISABLED <-> POLICY-OTHER Adobe Acrobat cloud file undocumented function use (policy-other.rules)
 * 1:42966 <-> DISABLED <-> SERVER-WEBAPP Java URLDNS Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42965 <-> DISABLED <-> SERVER-WEBAPP Java RMI Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42964 <-> DISABLED <-> SERVER-WEBAPP Java MyFaces Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42963 <-> DISABLED <-> SERVER-WEBAPP Java Mozilla Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42962 <-> DISABLED <-> SERVER-WEBAPP Java Hibernate Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42961 <-> DISABLED <-> SERVER-WEBAPP Java Groovy Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42960 <-> DISABLED <-> SERVER-WEBAPP Java BeanShell Library unauthorized serialized object attempt (server-webapp.rules)
 * 1:42959 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42958 <-> DISABLED <-> SERVER-WEBAPP Joomla 3.7.0 com_fields view SQL injection attempt (server-webapp.rules)
 * 1:42957 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42956 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42955 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance upload.cgi directory traversal attempt (server-webapp.rules)
 * 1:42954 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules)
 * 1:42953 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules)
 * 1:42952 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer directory traversal attempt (server-webapp.rules)
 * 1:42951 <-> ENABLED <-> SERVER-WEBAPP Oracle Fusion Middleware MapViewer arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:42950 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded vbscript tag obfuscation attempt (indicator-obfuscation.rules)
 * 1:42949 <-> DISABLED <-> INDICATOR-OBFUSCATION URL encoded document class name obfuscation attempt (indicator-obfuscation.rules)
 * 1:42948 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped split function name obfuscation attempt (indicator-obfuscation.rules)
 * 1:42947 <-> ENABLED <-> INDICATOR-OBFUSCATION Dridex String.prototype function definition obfuscation attempt (indicator-obfuscation.rules)
 * 1:42946 <-> DISABLED <-> INDICATOR-OBFUSCATION Hex escaped valueOf function name obfuscation attempt (indicator-obfuscation.rules)
 * 1:42945 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules)
 * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:42044 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules)
 * 1:42045 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom object garbage collection use after free attempt (file-flash.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42311 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42315 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42316 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt (file-pdf.rules)
 * 1:42317 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 1:42318 <-> DISABLED <-> FILE-PDF Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt (file-pdf.rules)
 * 3:42434 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
 * 3:42433 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
 * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)