Talos Rules 2017-08-24
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-08-24 16:08:23 UTC

Snort Subscriber Rules Update

Date: 2017-08-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44105 <-> DISABLED <-> SERVER-OTHER WebPageTests upload feature remote file upload attempt (server-other.rules)
 * 1:44104 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44103 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44098 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 1:44096 <-> DISABLED <-> MALWARE-TOOLS Request to service that provices external IP address detected (malware-tools.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44091 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44089 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44088 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44081 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules)
 * 1:44080 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules)
 * 1:44079 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules)
 * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules)
 * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules)
 * 1:44075 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44074 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44073 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44072 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 3:44070 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0418 attack attempt (server-other.rules)
 * 3:44071 <-> ENABLED <-> SERVER-OTHER Objectivity DB lock server buffer overflow attempt (server-other.rules)
 * 3:44082 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0420 attack attempt (server-other.rules)
 * 3:44092 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules)
 * 3:44093 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules)
 * 3:44101 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)
 * 3:44102 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)

Modified Rules:


 * 1:23405 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules)
 * 1:23406 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules)
 * 1:16064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)

2017-08-24 16:08:23 UTC

Snort Subscriber Rules Update

Date: 2017-08-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44098 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 1:44096 <-> DISABLED <-> MALWARE-TOOLS Request to service that provices external IP address detected (malware-tools.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44091 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44089 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44080 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules)
 * 1:44072 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44073 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules)
 * 1:44074 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules)
 * 1:44079 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules)
 * 1:44081 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44088 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44075 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44105 <-> DISABLED <-> SERVER-OTHER WebPageTests upload feature remote file upload attempt (server-other.rules)
 * 1:44104 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44103 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 3:44101 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)
 * 3:44093 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules)
 * 3:44092 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules)
 * 3:44071 <-> ENABLED <-> SERVER-OTHER Objectivity DB lock server buffer overflow attempt (server-other.rules)
 * 3:44082 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0420 attack attempt (server-other.rules)
 * 3:44070 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0418 attack attempt (server-other.rules)
 * 3:44102 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)

Modified Rules:


 * 1:16064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules)
 * 1:23405 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules)
 * 1:23406 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules)
 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)

2017-08-24 16:08:23 UTC

Snort Subscriber Rules Update

Date: 2017-08-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44096 <-> DISABLED <-> MALWARE-TOOLS Request to service that provices external IP address detected (malware-tools.rules)
 * 1:44094 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44095 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record memory corruption attempt (file-multimedia.rules)
 * 1:44075 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44077 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .win dns query (indicator-compromise.rules)
 * 1:44072 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44083 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44104 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44080 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules)
 * 1:44091 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44089 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44078 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Nemucod file download (malware-other.rules)
 * 1:44081 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules)
 * 1:44079 <-> DISABLED <-> SERVER-WEBAPP Schneider Electric Umotion Builder localize.php SQL injection attempt (server-webapp.rules)
 * 1:44103 <-> DISABLED <-> FILE-PDF Foxit PDF reader saveAs arbitrary file write attempt (file-pdf.rules)
 * 1:44100 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44105 <-> DISABLED <-> SERVER-OTHER WebPageTests upload feature remote file upload attempt (server-other.rules)
 * 1:44076 <-> DISABLED <-> INDICATOR-COMPROMISE Suspicious .trade dns query (indicator-compromise.rules)
 * 1:44084 <-> ENABLED <-> FILE-PDF Adobe Acrobat XFA field initialization memory corruption attempt (file-pdf.rules)
 * 1:44085 <-> DISABLED <-> SERVER-OTHER FreeRADIUS invalid WiMAX VSA length out of bounds write attempt (server-other.rules)
 * 1:44086 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44087 <-> ENABLED <-> FILE-OTHER Adobe Acrobat EMF line segments memory corruption attempt (file-other.rules)
 * 1:44088 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer CapiCom.Utilities ActiveX control getRandom method access attempt (browser-plugins.rules)
 * 1:44073 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44099 <-> DISABLED <-> FILE-MULTIMEDIA Adobe Professional EMF malformed EMR_STRETCHDIBITS record out of bounds access attempt (file-multimedia.rules)
 * 1:44074 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader SubmitForm URL spoofing attempt (file-pdf.rules)
 * 1:44098 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 1:44097 <-> DISABLED <-> FILE-PDF Foxit Reader launchURL Command Injection Remote Code Execution attempt (file-pdf.rules)
 * 3:44082 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0420 attack attempt (server-other.rules)
 * 3:44071 <-> ENABLED <-> SERVER-OTHER Objectivity DB lock server buffer overflow attempt (server-other.rules)
 * 3:44093 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules)
 * 3:44101 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)
 * 3:44092 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0404 attack attempt (file-office.rules)
 * 3:44070 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0418 attack attempt (server-other.rules)
 * 3:44102 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0403 attack attempt (file-office.rules)

Modified Rules:


 * 1:1828 <-> DISABLED <-> SERVER-WEBAPP iPlanet Search directory traversal attempt (server-webapp.rules)
 * 1:16064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onBeforeUnload address bar spoofing attempt (browser-ie.rules)
 * 1:23405 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules)
 * 1:23406 <-> DISABLED <-> SERVER-WEBAPP PHP-Nuke index.php SQL injection attempt (server-webapp.rules)