Talos Rules 2017-06-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, browser-webkit, file-flash, file-image, file-multimedia, file-other, indicator-obfuscation, indicator-shellcode, malware-cnc, os-windows, protocol-ftp, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-06-22 14:51:53 UTC

Snort Subscriber Rules Update

Date: 2017-06-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43269 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules)
 * 1:43260 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43258 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules)
 * 1:43259 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules)
 * 1:43257 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules)
 * 1:43254 <-> DISABLED <-> INDICATOR-SHELLCODE KUSER_SHARED_DATA NtMajorVersion and NtMinorVersion offsets (indicator-shellcode.rules)
 * 1:43255 <-> DISABLED <-> INDICATOR-SHELLCODE single byte x86 xor decryption routine (indicator-shellcode.rules)
 * 1:43252 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 device connection enumeration attempt (protocol-scada.rules)
 * 1:43253 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt (protocol-scada.rules)
 * 1:43250 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject directory traversal attempt (server-webapp.rules)
 * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules)
 * 1:43249 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:43247 <-> DISABLED <-> SERVER-APACHE Apache Rave information disclosure attempt (server-apache.rules)
 * 1:43248 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool installation (malware-cnc.rules)
 * 1:43240 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43243 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43244 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules)
 * 1:43242 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43245 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules)
 * 1:43246 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules)
 * 1:43261 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43262 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43263 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 1:43264 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43265 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43266 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43241 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:43280 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:43279 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:43278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43276 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43275 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43274 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43273 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43270 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules)
 * 1:43239 <-> DISABLED <-> PROTOCOL-FTP WS-FTP REST command overly large file creation attempt (protocol-ftp.rules)
 * 1:43272 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 3:43271 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure XML external entity injection attempt (server-webapp.rules)

Modified Rules:


 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:20737 <-> DISABLED <-> SERVER-WEBAPP 427BB cookie-based authentication bypass attempt (server-webapp.rules)
 * 1:19008 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt (browser-webkit.rules)
 * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:35015 <-> ENABLED <-> SERVER-WEBAPP Centreon GetXmlTree.php SQL injection attempt (server-webapp.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules)

2017-06-22 14:51:53 UTC

Snort Subscriber Rules Update

Date: 2017-06-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43280 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:43279 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess cross site scripting attempt (server-webapp.rules)
 * 1:43278 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43277 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43276 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43275 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MFT denial of service attempt (os-windows.rules)
 * 1:43274 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43273 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43272 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43270 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules)
 * 1:43269 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows DirectX directshow wav file overflow attempt (file-multimedia.rules)
 * 1:43268 <-> DISABLED <-> SERVER-WEBAPP Squid ESI processing buffer overflow attempt (server-webapp.rules)
 * 1:43267 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43266 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43265 <-> DISABLED <-> SERVER-WEBAPP SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt (server-webapp.rules)
 * 1:43264 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43263 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43262 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43261 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43260 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43259 <-> DISABLED <-> FILE-OTHER Hangul Word Processor type confusion attempt (file-other.rules)
 * 1:43258 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules)
 * 1:43257 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection command injection attempt (server-webapp.rules)
 * 1:43256 <-> ENABLED <-> INDICATOR-OBFUSCATION Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call (indicator-obfuscation.rules)
 * 1:43255 <-> DISABLED <-> INDICATOR-SHELLCODE single byte x86 xor decryption routine (indicator-shellcode.rules)
 * 1:43254 <-> DISABLED <-> INDICATOR-SHELLCODE KUSER_SHARED_DATA NtMajorVersion and NtMinorVersion offsets (indicator-shellcode.rules)
 * 1:43253 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 virtual manufacturing device domain variable enumeration attempt (protocol-scada.rules)
 * 1:43252 <-> DISABLED <-> PROTOCOL-SCADA IEC 61850 device connection enumeration attempt (protocol-scada.rules)
 * 1:43251 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA LogSettingHandler command injection attempt (server-webapp.rules)
 * 1:43250 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject directory traversal attempt (server-webapp.rules)
 * 1:43249 <-> DISABLED <-> SERVER-WEBAPP Nuxeo CMS BatchUploadObject arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:43248 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool installation (malware-cnc.rules)
 * 1:43247 <-> DISABLED <-> SERVER-APACHE Apache Rave information disclosure attempt (server-apache.rules)
 * 1:43246 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules)
 * 1:43245 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules)
 * 1:43244 <-> DISABLED <-> SERVER-WEBAPP Active Calendar showcode.php directory traversal attempt (server-webapp.rules)
 * 1:43243 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43242 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43241 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43240 <-> DISABLED <-> BROWSER-PLUGINS Rising Online Virus Scanner  ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43239 <-> DISABLED <-> PROTOCOL-FTP WS-FTP REST command overly large file creation attempt (protocol-ftp.rules)
 * 1:43238 <-> DISABLED <-> SERVER-WEBAPP Imatix Xitami web server head processing denial of service attempt (server-webapp.rules)
 * 3:43271 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure XML external entity injection attempt (server-webapp.rules)

Modified Rules:


 * 1:19008 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit floating point conversion memory corruption attempt (browser-webkit.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:23164 <-> DISABLED <-> SERVER-OTHER Microsoft Lync Online ncrypt.dll dll-load exploit attempt (server-other.rules)
 * 1:35015 <-> ENABLED <-> SERVER-WEBAPP Centreon GetXmlTree.php SQL injection attempt (server-webapp.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:41120 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41121 <-> ENABLED <-> FILE-IMAGE ImageMagick PostScript decode delegate command injection attempt (file-image.rules)
 * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:20737 <-> DISABLED <-> SERVER-WEBAPP 427BB cookie-based authentication bypass attempt (server-webapp.rules)