Talos Rules 2017-07-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, browser-ie, browser-other, file-multimedia, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, server-apache, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-07-18 14:41:12 UTC

Snort Subscriber Rules Update

Date: 2017-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules)
 * 1:43577 <-> DISABLED <-> SERVER-WEBAPP Oracle BPEL Process Manager directory traversal attempt (server-webapp.rules)
 * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:43573 <-> DISABLED <-> SERVER-OTHER Cisco IOS DHCP denial of service attempt (server-other.rules)
 * 1:43578 <-> DISABLED <-> MALWARE-CNC Android.Trojan.DroidKungFu outbound connection (malware-cnc.rules)
 * 1:43575 <-> ENABLED <-> MALWARE-CNC Win32.Trojan.NeutrinoPOS connection attempt (malware-cnc.rules)
 * 1:43576 <-> DISABLED <-> INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt (indicator-compromise.rules)
 * 1:43569 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43574 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server command injection attempt (server-webapp.rules)
 * 1:43571 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43572 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:43570 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43567 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules)
 * 1:43568 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules)
 * 1:43566 <-> DISABLED <-> SERVER-OTHER LAN Messenger initiation request buffer overflow attempt (server-other.rules)
 * 1:43564 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user creation detected (policy-other.rules)
 * 1:43562 <-> DISABLED <-> POLICY-OTHER Teleopti WFM database information request detected (policy-other.rules)
 * 1:43563 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user credentials request detected (policy-other.rules)
 * 1:43584 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43583 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43585 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43586 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43588 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:43589 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:43590 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:43591 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43592 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43593 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43594 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43595 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe filesystem denial of service attempt (server-webapp.rules)
 * 1:43596 <-> DISABLED <-> SERVER-OTHER Oracle Demantra information disclosure attempt (server-other.rules)
 * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules)
 * 1:43582 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .wav file buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:16221 <-> DISABLED <-> OS-WINDOWS Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt (os-windows.rules)
 * 1:17549 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules)
 * 1:26468 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules)
 * 1:26469 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:29374 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules)
 * 1:29375 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules)
 * 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)
 * 1:29627 <-> DISABLED <-> SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt (server-other.rules)
 * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:30850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:30851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:41407 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41408 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:42255 <-> DISABLED <-> OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt (os-windows.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43390 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe startup config information disclosure attempt (server-webapp.rules)
 * 3:42438 <-> ENABLED <-> SERVER-MAIL IBM Domino BMP parsing integer overflow attempt (server-mail.rules)

2017-07-18 14:41:12 UTC

Snort Subscriber Rules Update

Date: 2017-07-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43596 <-> DISABLED <-> SERVER-OTHER Oracle Demantra information disclosure attempt (server-other.rules)
 * 1:43595 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe filesystem denial of service attempt (server-webapp.rules)
 * 1:43594 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43593 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43592 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43591 <-> DISABLED <-> SERVER-WEBAPP IBM Tealeaf testconn_host command injection attempt (server-webapp.rules)
 * 1:43590 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:43589 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:43588 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor directory traversal attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules)
 * 1:43586 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43585 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43584 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43583 <-> DISABLED <-> SERVER-WEBAPP CA eHealth command injection attempt (server-webapp.rules)
 * 1:43582 <-> DISABLED <-> FILE-OTHER multiple vulnerabilities malformed .wav file buffer overflow attempt (file-other.rules)
 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules)
 * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:43578 <-> DISABLED <-> MALWARE-CNC Android.Trojan.DroidKungFu outbound connection (malware-cnc.rules)
 * 1:43577 <-> DISABLED <-> SERVER-WEBAPP Oracle BPEL Process Manager directory traversal attempt (server-webapp.rules)
 * 1:43576 <-> DISABLED <-> INDICATOR-COMPROMISE possible Samsung DVR authentication bypass attempt (indicator-compromise.rules)
 * 1:43575 <-> ENABLED <-> MALWARE-CNC Win32.Trojan.NeutrinoPOS connection attempt (malware-cnc.rules)
 * 1:43574 <-> DISABLED <-> SERVER-WEBAPP Wing FTP Server command injection attempt (server-webapp.rules)
 * 1:43573 <-> DISABLED <-> SERVER-OTHER Cisco IOS DHCP denial of service attempt (server-other.rules)
 * 1:43572 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43571 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43570 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43569 <-> DISABLED <-> SERVER-WEBAPP Zavio Cam command injection attempt (server-webapp.rules)
 * 1:43568 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules)
 * 1:43567 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Framework diagnostic information disclosure attempt (server-webapp.rules)
 * 1:43566 <-> DISABLED <-> SERVER-OTHER LAN Messenger initiation request buffer overflow attempt (server-other.rules)
 * 1:43565 <-> DISABLED <-> APP-DETECT HTTPTunnel proxy outbound connection detected (app-detect.rules)
 * 1:43564 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user creation detected (policy-other.rules)
 * 1:43563 <-> DISABLED <-> POLICY-OTHER Teleopti WFM administrative user credentials request detected (policy-other.rules)
 * 1:43562 <-> DISABLED <-> POLICY-OTHER Teleopti WFM database information request detected (policy-other.rules)

Modified Rules:


 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:16221 <-> DISABLED <-> OS-WINDOWS Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial of service attempt (os-windows.rules)
 * 1:17549 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Error Handling Code Execution (browser-ie.rules)
 * 1:26468 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules)
 * 1:26469 <-> DISABLED <-> SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt (server-oracle.rules)
 * 1:27046 <-> DISABLED <-> APP-DETECT iodine dns tunneling handshake server ACK (app-detect.rules)
 * 1:29005 <-> DISABLED <-> SERVER-WEBAPP IBM Platform Symphony SOAP request processing buffer overflow attempt (server-webapp.rules)
 * 1:29374 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules)
 * 1:29375 <-> DISABLED <-> SERVER-WEBAPP Nagios process_cgivars off-by-one memory access denial of service attempt (server-webapp.rules)
 * 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)
 * 1:29627 <-> DISABLED <-> SERVER-OTHER Novell ZENworks Handheld Management ZfHIPCND.exe buffer overflow attempt (server-other.rules)
 * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:30215 <-> DISABLED <-> FILE-MULTIMEDIA VideoLAN VLC Media Player Live555 RTSP plugin stack-based buffer overflow attempt (file-multimedia.rules)
 * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:30850 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:30851 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:31390 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:31391 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34320 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:34321 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer BSTR use after free attempt (browser-ie.rules)
 * 1:40647 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:40648 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript ReverseHelper buffer overrun attempt (browser-ie.rules)
 * 1:41407 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41408 <-> ENABLED <-> BROWSER-OTHER Cisco WebEx extension command execution attempt (browser-other.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:42255 <-> DISABLED <-> OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt (os-windows.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43390 <-> DISABLED <-> SERVER-WEBAPP Netgear Prosafe startup config information disclosure attempt (server-webapp.rules)
 * 3:42438 <-> ENABLED <-> SERVER-MAIL IBM Domino BMP parsing integer overflow attempt (server-mail.rules)