Talos Rules 2017-08-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, file-flash, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2017-08-17 13:38:19 UTC

Snort Subscriber Rules Update

Date: 2017-08-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:43986 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt (protocol-scada.rules)
 * 1:43987 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:44011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hippo variant outbound connection (malware-cnc.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43995 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43982 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43981 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43988 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules)
 * 1:44009 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:44010 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection attempt (malware-cnc.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 3:44012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0411 attack attempt (policy-other.rules)

Modified Rules:


 * 1:21902 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (browser-firefox.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)

2990

2017-08-17 13:38:19 UTC

Snort Subscriber Rules Update

Date: 2017-08-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43995 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43981 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43982 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection attempt (malware-cnc.rules)
 * 1:43986 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt (protocol-scada.rules)
 * 1:43987 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43988 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules)
 * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:44011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hippo variant outbound connection (malware-cnc.rules)
 * 1:44009 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44010 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 3:44012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0411 attack attempt (policy-other.rules)

Modified Rules:


 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (browser-firefox.rules)
 * 1:21902 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)

29110

2017-08-17 13:38:19 UTC

Snort Subscriber Rules Update

Date: 2017-08-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hippo variant outbound connection (malware-cnc.rules)
 * 1:44010 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44009 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:44003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43995 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules)
 * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules)
 * 1:43988 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43987 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43986 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt (protocol-scada.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection attempt (malware-cnc.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43982 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43981 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 3:44012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0411 attack attempt (policy-other.rules)

Modified Rules:


 * 1:21902 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (browser-firefox.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)