Talos Rules 2017-07-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, os-windows, policy-other, protocol-dns, protocol-nntp, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-07-27 16:01:56 UTC

Snort Subscriber Rules Update

Date: 2017-07-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43709 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43710 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43718 <-> DISABLED <-> SERVER-WEBAPP Site-Assistant menu.php remote file include attempt (server-webapp.rules)
 * 1:43719 <-> DISABLED <-> SERVER-WEBAPP Site-Assistant menu.php remote file include attempt (server-webapp.rules)
 * 1:43720 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43721 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43722 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43723 <-> DISABLED <-> SERVER-WEBAPP FCRing sfuss remote file include attempt (server-webapp.rules)
 * 1:43724 <-> DISABLED <-> SERVER-WEBAPP FCRing sfuss remote file include attempt (server-webapp.rules)
 * 1:43727 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt (file-flash.rules)
 * 1:43728 <-> DISABLED <-> SERVER-OTHER XChat heap buffer overflow attempt (server-other.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:43730 <-> DISABLED <-> SERVER-OTHER multiple vulnerabilities malformed mp3 buffer overflow attempt (server-other.rules)
 * 1:43731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt (os-windows.rules)
 * 1:43732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt (os-windows.rules)
 * 1:43733 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt (server-webapp.rules)
 * 1:43734 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt (server-webapp.rules)
 * 1:43735 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt (browser-firefox.rules)
 * 1:43736 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt (browser-firefox.rules)
 * 1:43737 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt (browser-firefox.rules)
 * 1:43738 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt (browser-firefox.rules)
 * 1:43739 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt (browser-firefox.rules)
 * 1:43740 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt (browser-firefox.rules)
 * 1:43741 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt  (browser-firefox.rules)
 * 1:43742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt (browser-firefox.rules)
 * 1:43743 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt (browser-firefox.rules)
 * 1:43744 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt (browser-firefox.rules)
 * 1:43745 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt (browser-firefox.rules)
 * 1:43746 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt (browser-firefox.rules)
 * 1:43747 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt (browser-firefox.rules)
 * 1:43748 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt (browser-firefox.rules)
 * 1:43749 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt (browser-firefox.rules)
 * 1:43750 <-> DISABLED <-> FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt (file-other.rules)
 * 1:43751 <-> DISABLED <-> FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt (file-other.rules)
 * 1:43752 <-> DISABLED <-> SERVER-OTHER Sun Solaris dhcpd malformed bootp denial of service attempt (server-other.rules)
 * 1:43753 <-> DISABLED <-> SERVER-OTHER Sami FTP RETR denial of service attempt (server-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:43755 <-> DISABLED <-> SERVER-OTHER FreeBSD Routing Information Protocol assertion failure attempt (server-other.rules)
 * 1:43756 <-> DISABLED <-> SERVER-WEBAPP Coppermine Photo Gallery thumbnails.php SQL injection attempt (server-webapp.rules)
 * 1:43757 <-> DISABLED <-> SERVER-WEBAPP ScadaBR remote credential export attempt (server-webapp.rules)
 * 1:43758 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43759 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43774 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43773 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43772 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43771 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43770 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43769 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43768 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt (browser-firefox.rules)
 * 1:43767 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt (browser-firefox.rules)
 * 1:43711 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43766 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:43763 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43765 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:43764 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43760 <-> DISABLED <-> PROTOCOL-NNTP Control overflow attempt (protocol-nntp.rules)
 * 1:43762 <-> DISABLED <-> SERVER-WEBAPP Invalid HTTP Version String (server-webapp.rules)
 * 1:43761 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox wyciwgy domain forgery attempt (browser-firefox.rules)
 * 3:43726 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0387 attack attempt (file-image.rules)
 * 3:43725 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0387 attack attempt (file-image.rules)
 * 3:43717 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0386 attack attempt (server-other.rules)
 * 3:43716 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0391 attack attempt (policy-other.rules)
 * 3:43714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0389 attack attempt (policy-other.rules)
 * 3:43715 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0390 attack attempt (policy-other.rules)
 * 3:43712 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0389 attack attempt (policy-other.rules)
 * 3:43713 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0385 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:15164 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt (browser-firefox.rules)
 * 1:17661 <-> DISABLED <-> SERVER-SAMBA Samba send_mailslot buffer overflow attempt (server-samba.rules)
 * 1:19002 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt (file-flash.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:40609 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40608 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)

2017-07-27 16:01:56 UTC

Snort Subscriber Rules Update

Date: 2017-07-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43774 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43773 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43772 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43771 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43770 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43769 <-> DISABLED <-> SERVER-OTHER D-Link DSL-2740B cross site request forgery attempt (server-other.rules)
 * 1:43768 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt (browser-firefox.rules)
 * 1:43767 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox floating layer denial of service attempt (browser-firefox.rules)
 * 1:43766 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:43765 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL null menu memory corruption attempt (browser-firefox.rules)
 * 1:43764 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43763 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL tree node removal memory corruption attempt (browser-firefox.rules)
 * 1:43762 <-> DISABLED <-> SERVER-WEBAPP Invalid HTTP Version String (server-webapp.rules)
 * 1:43761 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox wyciwgy domain forgery attempt (browser-firefox.rules)
 * 1:43760 <-> DISABLED <-> PROTOCOL-NNTP Control overflow attempt (protocol-nntp.rules)
 * 1:43759 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43758 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43757 <-> DISABLED <-> SERVER-WEBAPP ScadaBR remote credential export attempt (server-webapp.rules)
 * 1:43756 <-> DISABLED <-> SERVER-WEBAPP Coppermine Photo Gallery thumbnails.php SQL injection attempt (server-webapp.rules)
 * 1:43755 <-> DISABLED <-> SERVER-OTHER FreeBSD Routing Information Protocol assertion failure attempt (server-other.rules)
 * 1:43754 <-> DISABLED <-> MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt (malware-cnc.rules)
 * 1:43753 <-> DISABLED <-> SERVER-OTHER Sami FTP RETR denial of service attempt (server-other.rules)
 * 1:43752 <-> DISABLED <-> SERVER-OTHER Sun Solaris dhcpd malformed bootp denial of service attempt (server-other.rules)
 * 1:43751 <-> DISABLED <-> FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt (file-other.rules)
 * 1:43750 <-> DISABLED <-> FILE-OTHER Sorensoft Media Player asz file buffer overflow attempt (file-other.rules)
 * 1:43749 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt (browser-firefox.rules)
 * 1:43748 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox BOM character cross site scripting attempt (browser-firefox.rules)
 * 1:43747 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt (browser-firefox.rules)
 * 1:43746 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frame element memory corruption attempt (browser-firefox.rules)
 * 1:43745 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt (browser-firefox.rules)
 * 1:43744 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox style display inherit memory corruption attempt (browser-firefox.rules)
 * 1:43743 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt (browser-firefox.rules)
 * 1:43742 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox lookup property memory corruption attempt (browser-firefox.rules)
 * 1:43741 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt  (browser-firefox.rules)
 * 1:43740 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox frameset memory corruption attempt (browser-firefox.rules)
 * 1:43739 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt (browser-firefox.rules)
 * 1:43738 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVGZoom memory corruption attempt (browser-firefox.rules)
 * 1:43737 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt (browser-firefox.rules)
 * 1:43736 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox XUL commandDispatcher memory corruption attempt (browser-firefox.rules)
 * 1:43735 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt (browser-firefox.rules)
 * 1:43734 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt (server-webapp.rules)
 * 1:43733 <-> DISABLED <-> SERVER-WEBAPP Sophos XG Firewall Controller filter SQL injection attempt (server-webapp.rules)
 * 1:43732 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt (os-windows.rules)
 * 1:43731 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vista contacts gadget code execution attempt (os-windows.rules)
 * 1:43730 <-> DISABLED <-> SERVER-OTHER multiple vulnerabilities malformed mp3 buffer overflow attempt (server-other.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:43728 <-> DISABLED <-> SERVER-OTHER XChat heap buffer overflow attempt (server-other.rules)
 * 1:43727 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt (file-flash.rules)
 * 1:43724 <-> DISABLED <-> SERVER-WEBAPP FCRing sfuss remote file include attempt (server-webapp.rules)
 * 1:43723 <-> DISABLED <-> SERVER-WEBAPP FCRing sfuss remote file include attempt (server-webapp.rules)
 * 1:43722 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43721 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43720 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server directory traversal attempt (server-webapp.rules)
 * 1:43719 <-> DISABLED <-> SERVER-WEBAPP Site-Assistant menu.php remote file include attempt (server-webapp.rules)
 * 1:43718 <-> DISABLED <-> SERVER-WEBAPP Site-Assistant menu.php remote file include attempt (server-webapp.rules)
 * 1:43711 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43710 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 1:43709 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access gencsr command injection attempt (server-webapp.rules)
 * 3:43725 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0387 attack attempt (file-image.rules)
 * 3:43726 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0387 attack attempt (file-image.rules)
 * 3:43716 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0391 attack attempt (policy-other.rules)
 * 3:43717 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0386 attack attempt (server-other.rules)
 * 3:43714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0389 attack attempt (policy-other.rules)
 * 3:43715 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0390 attack attempt (policy-other.rules)
 * 3:43712 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0389 attack attempt (policy-other.rules)
 * 3:43713 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0385 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:36130 <-> DISABLED <-> PROTOCOL-DNS ISC BIND zero length OPENPGPKEY rdata response attempt (protocol-dns.rules)
 * 1:15164 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox SVG pathSegList memory corruption attempt (browser-firefox.rules)
 * 1:17661 <-> DISABLED <-> SERVER-SAMBA Samba send_mailslot buffer overflow attempt (server-samba.rules)
 * 1:19002 <-> DISABLED <-> FILE-FLASH RealNetworks RealPlayer FLV integer overflow attempt (file-flash.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:40608 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)
 * 1:40609 <-> ENABLED <-> SERVER-WEBAPP Joomla UsersController non-standard insecure account registration method access attempt (server-webapp.rules)