Talos Rules 2017-06-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-ie, browser-other, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, policy-other, protocol-scada, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-06-06 17:46:56 UTC

Snort Subscriber Rules Update

Date: 2017-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43102 <-> DISABLED <-> SERVER-WEBAPP Mango Automation arbitrary JSP code upload attempt (server-webapp.rules)
 * 1:43110 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:43090 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file attachment detected (file-identify.rules)
 * 1:43118 <-> DISABLED <-> BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt (browser-chrome.rules)
 * 1:43098 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43122 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess webvrpcs denial of service attempt (protocol-scada.rules)
 * 1:43116 <-> DISABLED <-> SERVER-OTHER Moore Industries NCS denial of service attempt (server-other.rules)
 * 1:43104 <-> DISABLED <-> PROTOCOL-SCADA OPC Systems denial of service attempt (protocol-scada.rules)
 * 1:43099 <-> ENABLED <-> SERVER-WEBAPP Simple SCADA web-socket connection initialization attempt (server-webapp.rules)
 * 1:43086 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected (file-identify.rules)
 * 1:43084 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected (file-identify.rules)
 * 1:43095 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43105 <-> DISABLED <-> SERVER-OTHER Novus WS10 Data Server buffer overflow attempt (server-other.rules)
 * 1:43088 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file attachment detected (file-identify.rules)
 * 1:43119 <-> DISABLED <-> SERVER-WEBAPP CyberPower Systems PowerPanel XXE out of band data retrieval attempt (server-webapp.rules)
 * 1:43117 <-> DISABLED <-> BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt (browser-chrome.rules)
 * 1:43094 <-> DISABLED <-> SERVER-OTHER Ecava IntegraXor SCADA information leak attempt (server-other.rules)
 * 1:43115 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:43091 <-> DISABLED <-> SERVER-WEBAPP AggreGate SCADA HMI web form upload xml external entity attack attempt (server-webapp.rules)
 * 1:43113 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt (server-webapp.rules)
 * 1:43108 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:43083 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file download request (file-identify.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet connection detected (server-webapp.rules)
 * 1:43085 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected (file-identify.rules)
 * 1:43096 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43092 <-> DISABLED <-> INDICATOR-COMPROMISE OLE attachment with embedded PICT attempt (indicator-compromise.rules)
 * 1:43112 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard overwrite attempt (server-webapp.rules)
 * 1:43114 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:43089 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file attachment detected (file-identify.rules)
 * 1:43103 <-> DISABLED <-> PROTOCOL-SCADA Weintek EasyBuilder Pro denial of service attempt (protocol-scada.rules)
 * 1:43107 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:43111 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:43109 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules)
 * 1:43087 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file download request (file-identify.rules)
 * 1:43097 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43100 <-> DISABLED <-> SERVER-WEBAPP Simple SCADA web-socket remote command execution attempt (server-webapp.rules)
 * 1:43080 <-> ENABLED <-> BROWSER-OTHER Foscam IP Camera User-Agent string detected (browser-other.rules)
 * 1:43101 <-> DISABLED <-> SERVER-WEBAPP Beckhoff CX9020 remote configuration modification attempt (server-webapp.rules)
 * 1:43106 <-> DISABLED <-> PROTOCOL-SCADA Optima PLC APIFTP denial of service attempt (protocol-scada.rules)
 * 3:43081 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2017-0357 attack attempt (browser-other.rules)
 * 3:43082 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2017-0360 attack attempt (browser-other.rules)
 * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
 * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:41906 <-> DISABLED <-> POLICY-OTHER HTTP redirect to FTP server attempt (policy-other.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:42041 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules)
 * 1:36159 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:23490 <-> DISABLED <-> FILE-MULTIMEDIA Oracle Java MixerSequencer RMF MIDI structure handling exploit attempt (file-multimedia.rules)
 * 1:40716 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:42902 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:43063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kabob outbound connection (malware-cnc.rules)
 * 1:42040 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42904 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:40715 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)

2017-06-06 17:46:56 UTC

Snort Subscriber Rules Update

Date: 2017-06-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43122 <-> DISABLED <-> PROTOCOL-SCADA Advantech WebAccess webvrpcs denial of service attempt (protocol-scada.rules)
 * 1:43119 <-> DISABLED <-> SERVER-WEBAPP CyberPower Systems PowerPanel XXE out of band data retrieval attempt (server-webapp.rules)
 * 1:43118 <-> DISABLED <-> BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt (browser-chrome.rules)
 * 1:43117 <-> DISABLED <-> BROWSER-CHROME Google Chrome Blink ImageBitmap integer overflow attempt (browser-chrome.rules)
 * 1:43116 <-> DISABLED <-> SERVER-OTHER Moore Industries NCS denial of service attempt (server-other.rules)
 * 1:43115 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:43114 <-> DISABLED <-> FILE-OTHER Microsoft Windows OTF parsing memory corruption attempt (file-other.rules)
 * 1:43113 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard deletion attempt (server-webapp.rules)
 * 1:43112 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric IGSS dashboard overwrite attempt (server-webapp.rules)
 * 1:43111 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:43110 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:43109 <-> ENABLED <-> SERVER-OTHER Magento unauthenticated arbitrary file write attempt (server-other.rules)
 * 1:43108 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:43107 <-> DISABLED <-> FILE-OTHER FreeBSD bspatch utility remote code execution attempt (file-other.rules)
 * 1:43106 <-> DISABLED <-> PROTOCOL-SCADA Optima PLC APIFTP denial of service attempt (protocol-scada.rules)
 * 1:43105 <-> DISABLED <-> SERVER-OTHER Novus WS10 Data Server buffer overflow attempt (server-other.rules)
 * 1:43104 <-> DISABLED <-> PROTOCOL-SCADA OPC Systems denial of service attempt (protocol-scada.rules)
 * 1:43103 <-> DISABLED <-> PROTOCOL-SCADA Weintek EasyBuilder Pro denial of service attempt (protocol-scada.rules)
 * 1:43102 <-> DISABLED <-> SERVER-WEBAPP Mango Automation arbitrary JSP code upload attempt (server-webapp.rules)
 * 1:43101 <-> DISABLED <-> SERVER-WEBAPP Beckhoff CX9020 remote configuration modification attempt (server-webapp.rules)
 * 1:43100 <-> DISABLED <-> SERVER-WEBAPP Simple SCADA web-socket remote command execution attempt (server-webapp.rules)
 * 1:43099 <-> ENABLED <-> SERVER-WEBAPP Simple SCADA web-socket connection initialization attempt (server-webapp.rules)
 * 1:43098 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43097 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43096 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43095 <-> ENABLED <-> FILE-IMAGE ImageMagick SyncExifProfile out-of-bounds memory read attempt (file-image.rules)
 * 1:43094 <-> DISABLED <-> SERVER-OTHER Ecava IntegraXor SCADA information leak attempt (server-other.rules)
 * 1:43093 <-> DISABLED <-> SERVER-WEBAPP CA Unified Infrastructure Management download_lar servelet connection detected (server-webapp.rules)
 * 1:43092 <-> DISABLED <-> INDICATOR-COMPROMISE OLE attachment with embedded PICT attempt (indicator-compromise.rules)
 * 1:43091 <-> DISABLED <-> SERVER-WEBAPP AggreGate SCADA HMI web form upload xml external entity attack attempt (server-webapp.rules)
 * 1:43090 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file attachment detected (file-identify.rules)
 * 1:43089 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file attachment detected (file-identify.rules)
 * 1:43088 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file attachment detected (file-identify.rules)
 * 1:43087 <-> ENABLED <-> FILE-IDENTIFY FLIC animation  file download request (file-identify.rules)
 * 1:43086 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected (file-identify.rules)
 * 1:43085 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected (file-identify.rules)
 * 1:43084 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file attachment detected (file-identify.rules)
 * 1:43083 <-> ENABLED <-> FILE-IDENTIFY Rhinoceros 3D 3dm file download request (file-identify.rules)
 * 1:43080 <-> ENABLED <-> BROWSER-OTHER Foscam IP Camera User-Agent string detected (browser-other.rules)
 * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
 * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
 * 3:43081 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2017-0357 attack attempt (browser-other.rules)
 * 3:43082 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2017-0360 attack attempt (browser-other.rules)

Modified Rules:


 * 1:40715 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:39816 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:39817 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmSDyaTop memory leak attempt (file-office.rules)
 * 1:37860 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36159 <-> ENABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:23490 <-> DISABLED <-> FILE-MULTIMEDIA Oracle Java MixerSequencer RMF MIDI structure handling exploit attempt (file-multimedia.rules)
 * 1:37859 <-> ENABLED <-> SERVER-WEBAPP Java Library CommonsCollection unauthorized serialized object attempt (server-webapp.rules)
 * 1:40716 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41906 <-> DISABLED <-> POLICY-OTHER HTTP redirect to FTP server attempt (policy-other.rules)
 * 1:42040 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42041 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:42902 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42904 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:43063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kabob outbound connection (malware-cnc.rules)
 * 1:43073 <-> DISABLED <-> SQL SysAid potential default credential login attempt (sql.rules)