Snort - Network Intrusion Detection & Prevention System

Talos Rules 2017-07-27

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, os-windows, policy-other, protocol-dns, protocol-nntp, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2017-07-27 16:01:56 UTC

Snort Subscriber Rules Update

Date: 2017-07-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43709 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43710 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43718 <-> DISABLED <-> SERVER-WEBAPP Site-Assistant menu.php remote file include attempt (server-webapp.rules)
 * 1:43719 <-> DISABLED <-> SERVER-WEBAPP Site-Assistant menu.php remote file include attempt (server-webapp.rules)
 * 1:43720 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43721 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43722 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43723 <-> DISABLED <-> SERVER-WEBAPP FCRing sfuss remote file include attempt (server-webapp.rules)
 * 1:43724 <-> DISABLED <-> SERVER-WEBAPP FCRing sfuss remote file include attempt (server-webapp.rules)
 * 1:43727 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt (file-flash.rules)
 * 1:43728 <-> DISABLED <-> SERVER-OTHER XChat heap buffer overflow attempt (server-other.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:43730 <-> DISABLED <-> SERVER-OTHER multiple vulnerabilities malformed mp3 buffer overflow attempt (server-other.rules)
 * 1:43731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt (os-windows.rules)
 * 1:43732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt (os-windows.rules)
 * 1:43733 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt (server-webapp.rules)
 * 1:43734 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt (server-webapp.rules)
 * 1:43735 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt (browser-firefox.rules)
 * 1:43736 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt (browser-firefox.rules)
 * 1:43737 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt (browser-firefox.rules)
 * 1:43738 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt (browser-firefox.rules)
 * 1:43739 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt (browser-firefox.rules)
 * 1:43740 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt (browser-firefox.rules)
 * 1:43741 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt  (browser-firefox.rules)
 * 1:43742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt (browser-firefox.rules)
 * 1:43743 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt (browser-firefox.rules)
 * 1:43744 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt (browser-firefox.rules)
 * 1:43745 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt (browser-firefox.rules)
 * 1:43746 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt (browser-firefox.rules)
 * 1:43747 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt (browser-firefox.rules)
 * 1:43748 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt (browser-firefox.rules)
 * 1:43749 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt (browser-firefox.rules)
 * 1:43750 <-> DISABLED <-> FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt (file-other.rules)
 * 1:43751 <-> DISABLED <-> FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt (file-other.rules)
 * 1:43752 <-> DISABLED <-> SERVER-OTHER Sun Solaris dhcpd malformed bootp denial of service attempt (server-other.rules)
 * 1:43753 <-> DISABLED <-> SERVER-OTHER Sami FTP RETR denial of service attempt (server-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:43755 <-> DISABLED <-> SERVER-OTHER FreeBSD Routing Information Protocol assertion failure attempt (server-other.rules)
 * 1:43756 <-> DISABLED <-> SERVER-WEBAPP Coppermine Photo Gallery thumbnails.php SQL injection attempt (server-webapp.rules)
 * 1:43757 <-> DISABLED <-> SERVER-WEBAPP ScadaBR remote credential export attempt (server-webapp.rules)
 * 1:43758 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43759 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43774 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43773 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43772 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43771 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43770 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43769 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43768 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt (browser-firefox.rules)
 * 1:43767 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt (browser-firefox.rules)
 * 1:43711 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43766 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:43763 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43765 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:43764 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43760 <-> DISABLED <-> PROTOCOL-NNTP Control overflow attempt (protocol-nntp.rules)
 * 1:43762 <-> DISABLED <-> SERVER-WEBAPP Invalid HTTP Version String (server-webapp.rules)
 * 1:43761 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox wyciwgy domain forgery attempt (browser-firefox.rules)
 * 3:43726 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0387 attack attempt (file-image.rules)
 * 3:43725 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0387 attack attempt (file-image.rules)
 * 3:43717 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0386 attack attempt (server-other.rules)
 * 3:43716 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0391 attack attempt (policy-other.rules)
 * 3:43714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0389 attack attempt (policy-other.rules)
 * 3:43715 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0390 attack attempt (policy-other.rules)
 * 3:43712 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0389 attack attempt (policy-other.rules)
 * 3:43713 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0385 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:15164 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt (browser-firefox.rules)
 * 1:17661 <-> DISABLED <-> SERVER-SAMBA Samba send_mailslot buffer overflow attempt (server-samba.rules)
 * 1:19002 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt (file-flash.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:40609 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40608 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)

2990