Talos Rules 2017-06-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-multimedia, file-office, file-other, indicator-compromise, os-windows, protocol-dns, protocol-imap, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-06-01 15:00:30 UTC

Snort Subscriber Rules Update

Date: 2017-06-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43064 <-> ENABLED <-> SERVER-OTHER NetBackup bprd remote file write attempt (server-other.rules)
 * 1:43065 <-> DISABLED <-> INDICATOR-COMPROMISE Trend Micro Control Manager WFINFOR cookie authentication bypass attempt (indicator-compromise.rules)
 * 1:43066 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager importFile.php directory traversal attempt (server-webapp.rules)
 * 1:43067 <-> ENABLED <-> PROTOCOL-IMAP IMAP CRAM-MD5 authentication attempt (protocol-imap.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:43069 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43070 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43071 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43072 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules)
 * 1:43074 <-> DISABLED <-> INDICATOR-COMPROMISE SysAid mssql potentially malicious new user creation attempt (indicator-compromise.rules)
 * 1:43075 <-> DISABLED <-> INDICATOR-COMPROMISE SysAid mssql potentially malicious user permissions creation (indicator-compromise.rules)
 * 1:43077 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:43078 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:43079 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 3:43076 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0354 attack attempt (server-other.rules)

Modified Rules:


 * 1:35207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON stringify double free attempt (browser-ie.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:23556 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:25650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:39473 <-> DISABLED <-> SERVER-WEBAPP Shopware getTemplateName directory traversal attempt (server-webapp.rules)
 * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35859 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt (file-multimedia.rules)
 * 1:35208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON stringify double free attempt (browser-ie.rules)
 * 1:35860 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt (file-multimedia.rules)
 * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules)
 * 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:36458 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36459 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules)
 * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36858 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36859 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37574 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:40341 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php PHP code injection attempt (server-webapp.rules)
 * 1:40342 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php directory traversal attempt (server-webapp.rules)
 * 1:40422 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack opcode 4115 remote code execution attempt (server-other.rules)
 * 1:41839 <-> ENABLED <-> BROWSER-IE Microsoft Edge object mutation memory corruption attempt (browser-ie.rules)
 * 1:41840 <-> ENABLED <-> BROWSER-IE Microsoft Edge object mutation memory corruption attempt (browser-ie.rules)
 * 1:42255 <-> DISABLED <-> OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt (os-windows.rules)
 * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:36860 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:37572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:15469 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)

2017-06-01 15:00:30 UTC

Snort Subscriber Rules Update

Date: 2017-06-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43079 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:43078 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:43077 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA ManagePatches servlet command injection attempt (server-webapp.rules)
 * 1:43075 <-> DISABLED <-> INDICATOR-COMPROMISE SysAid mssql potentially malicious user permissions creation (indicator-compromise.rules)
 * 1:43074 <-> DISABLED <-> INDICATOR-COMPROMISE SysAid mssql potentially malicious new user creation attempt (indicator-compromise.rules)
 * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules)
 * 1:43072 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43071 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43070 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43069 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:43068 <-> DISABLED <-> SERVER-OTHER IBM Lotus Domino IMAP server CRAM-MD5 authentication buffer overflow attempt (server-other.rules)
 * 1:43067 <-> ENABLED <-> PROTOCOL-IMAP IMAP CRAM-MD5 authentication attempt (protocol-imap.rules)
 * 1:43066 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Control Manager importFile.php directory traversal attempt (server-webapp.rules)
 * 1:43065 <-> DISABLED <-> INDICATOR-COMPROMISE Trend Micro Control Manager WFINFOR cookie authentication bypass attempt (indicator-compromise.rules)
 * 1:43064 <-> ENABLED <-> SERVER-OTHER NetBackup bprd remote file write attempt (server-other.rules)
 * 3:43076 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0354 attack attempt (server-other.rules)

Modified Rules:


 * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42255 <-> DISABLED <-> OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt (os-windows.rules)
 * 1:41840 <-> ENABLED <-> BROWSER-IE Microsoft Edge object mutation memory corruption attempt (browser-ie.rules)
 * 1:41839 <-> ENABLED <-> BROWSER-IE Microsoft Edge object mutation memory corruption attempt (browser-ie.rules)
 * 1:40422 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack opcode 4115 remote code execution attempt (server-other.rules)
 * 1:40342 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php directory traversal attempt (server-webapp.rules)
 * 1:40341 <-> DISABLED <-> SERVER-WEBAPP FreePBX Hotelwakeup Module ajax.php PHP code injection attempt (server-webapp.rules)
 * 1:39473 <-> DISABLED <-> SERVER-WEBAPP Shopware getTemplateName directory traversal attempt (server-webapp.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:37574 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:36860 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36859 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36858 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36532 <-> DISABLED <-> SERVER-OTHER Oracle Java JMX server insecure configuration remote code execution attempt (server-other.rules)
 * 1:36459 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36458 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules)
 * 1:35860 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt (file-multimedia.rules)
 * 1:35859 <-> DISABLED <-> FILE-MULTIMEDIA Apple QuickTime traf atom out of bounds read attempt (file-multimedia.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35208 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON stringify double free attempt (browser-ie.rules)
 * 1:35207 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer JSON stringify double free attempt (browser-ie.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:25650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:23556 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:15469 <-> DISABLED <-> FILE-OFFICE Microsoft Office WordPad and Office text converters integer underflow attempt (file-office.rules)
 * 1:21268 <-> DISABLED <-> SERVER-OTHER Oracle Java RMI services remote object execution attempt (server-other.rules)
 * 1:15147 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt (browser-ie.rules)