Talos Rules 2017-08-10
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-multimedia, file-other, file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-08-10 17:59:23 UTC

Snort Subscriber Rules Update

Date: 2017-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:43898 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43897 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43896 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43895 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43892 <-> ENABLED <-> MALWARE-OTHER Win.Malware.Emotet variant lateral propagation (malware-other.rules)
 * 1:43891 <-> ENABLED <-> MALWARE-OTHER Win.Malware.Emotet variant lateral propagation (malware-other.rules)
 * 1:43890 <-> ENABLED <-> MALWARE-CNC Win.Malware.Emotet variant outbound connection (malware-cnc.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)

Modified Rules:


 * 1:37214 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection (malware-cnc.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)

2017-08-10 17:59:23 UTC

Snort Subscriber Rules Update

Date: 2017-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43896 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43890 <-> ENABLED <-> MALWARE-CNC Win.Malware.Emotet variant outbound connection (malware-cnc.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43891 <-> ENABLED <-> MALWARE-OTHER Win.Malware.Emotet variant lateral propagation (malware-other.rules)
 * 1:43892 <-> ENABLED <-> MALWARE-OTHER Win.Malware.Emotet variant lateral propagation (malware-other.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43895 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43898 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)
 * 1:43897 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37214 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection (malware-cnc.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)

2017-08-10 17:59:23 UTC

Snort Subscriber Rules Update

Date: 2017-08-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43898 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43892 <-> ENABLED <-> MALWARE-OTHER Win.Malware.Emotet variant lateral propagation (malware-other.rules)
 * 1:43888 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43889 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_BLTBIT record out of bounds access attempt (file-multimedia.rules)
 * 1:43887 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43890 <-> ENABLED <-> MALWARE-CNC Win.Malware.Emotet variant outbound connection (malware-cnc.rules)
 * 1:43895 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43891 <-> ENABLED <-> MALWARE-OTHER Win.Malware.Emotet variant lateral propagation (malware-other.rules)
 * 1:43894 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43893 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF file GIF LZW coding table memory corruption attempt (file-other.rules)
 * 1:43896 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43886 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed UTF-16 string memory corruption attempt (file-pdf.rules)
 * 1:43897 <-> DISABLED <-> SERVER-WEBAPP SonicWall Secure Remote Access sitecustomization command injection attempt (server-webapp.rules)
 * 1:43899 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Biggluck variant inbound response (malware-cnc.rules)

Modified Rules:


 * 1:37214 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Pmabot outbound connection (malware-cnc.rules)
 * 1:42398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:7105 <-> ENABLED <-> MALWARE-BACKDOOR aol admin runtime detection (malware-backdoor.rules)
 * 3:39775 <-> ENABLED <-> EXPLOIT-KIT malicious Javascript detected via experimental RBF classifier (exploit-kit.rules)