Talos Rules 2017-06-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, browser-ie, file-other, indicator-compromise, malware-cnc, policy-other, protocol-scada, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-06-08 14:49:43 UTC

Snort Subscriber Rules Update

Date: 2017-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43147 <-> ENABLED <-> SERVER-WEBAPP IBM OpenAdmin Tool SOAP welcomeService.php PHP code injection attempt (server-webapp.rules)
 * 1:43146 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules)
 * 1:43145 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules)
 * 1:43144 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules)
 * 1:43143 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules)
 * 1:43142 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules)
 * 1:43141 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules)
 * 1:43140 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules)
 * 1:43139 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules)
 * 1:43138 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules)
 * 1:43137 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules)
 * 1:43136 <-> DISABLED <-> SERVER-MAIL SysGauge SMTP response buffer overflow (server-mail.rules)
 * 1:43134 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules)
 * 1:43133 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43132 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43131 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43130 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules)
 * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules)
 * 1:43126 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules)
 * 1:43125 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules)
 * 1:43124 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules)
 * 1:43123 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules)
 * 3:43135 <-> ENABLED <-> POLICY-OTHER JBoss Management console access detected (policy-other.rules)
 * 3:43148 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP challenge-response buffer overflow attempt (protocol-scada.rules)
 * 3:43149 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP certificate request unknown certificate detected (protocol-scada.rules)

Modified Rules:


 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:20396 <-> DISABLED <-> PROTOCOL-VOIP INVITE flood attempt (protocol-voip.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL IMAP server EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:18452 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:19436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules)

2017-06-08 14:49:43 UTC

Snort Subscriber Rules Update

Date: 2017-06-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43142 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules)
 * 1:43125 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules)
 * 1:43126 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules)
 * 1:43127 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration enumeration attempt (policy-other.rules)
 * 1:43128 <-> DISABLED <-> POLICY-OTHER Beck IPC network configuration overwrite attempt (policy-other.rules)
 * 1:43130 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:43131 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43132 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43133 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:43134 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules)
 * 1:43136 <-> DISABLED <-> SERVER-MAIL SysGauge SMTP response buffer overflow (server-mail.rules)
 * 1:43137 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules)
 * 1:43138 <-> DISABLED <-> FILE-OTHER INSAT MasterSCADA malicious project command execution attempt (file-other.rules)
 * 1:43139 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules)
 * 1:43140 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large size value denial of service attempt (protocol-scada.rules)
 * 1:43141 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX large data allocation denial of service attempt (protocol-scada.rules)
 * 1:43147 <-> ENABLED <-> SERVER-WEBAPP IBM OpenAdmin Tool SOAP welcomeService.php PHP code injection attempt (server-webapp.rules)
 * 1:43144 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules)
 * 1:43146 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules)
 * 1:43145 <-> DISABLED <-> POLICY-OTHER Pro-Face Pro-ServerEX find node invalid memory access attempt (policy-other.rules)
 * 1:43123 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Password read or write attempt (indicator-compromise.rules)
 * 1:43124 <-> DISABLED <-> INDICATOR-COMPROMISE OptoMMP FTP Username read or write attempt (indicator-compromise.rules)
 * 1:43143 <-> DISABLED <-> PROTOCOL-SCADA Pro-Face Pro-ServerEX arbitrary memory disclosure attempt (protocol-scada.rules)
 * 3:43135 <-> ENABLED <-> POLICY-OTHER JBoss Management console access detected (policy-other.rules)
 * 3:43149 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP certificate request unknown certificate detected (protocol-scada.rules)
 * 3:43148 <-> ENABLED <-> PROTOCOL-SCADA Rockwell Automation CIP challenge-response buffer overflow attempt (protocol-scada.rules)

Modified Rules:


 * 1:31302 <-> DISABLED <-> APP-DETECT Oracle Java debug wire protocol remote debugging attempt (app-detect.rules)
 * 1:19436 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt (browser-ie.rules)
 * 1:37375 <-> DISABLED <-> SERVER-MAIL IMAP server EXAMINE command log message overflow attempt (server-mail.rules)
 * 1:18452 <-> DISABLED <-> FILE-OTHER Adobe malicious IFF memory corruption attempt (file-other.rules)
 * 1:20396 <-> DISABLED <-> PROTOCOL-VOIP INVITE flood attempt (protocol-voip.rules)