Talos Rules 2017-09-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2017-09-06 00:02:04 UTC

Snort Subscriber Rules Update

Date: 2017-09-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:44278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrystalAttack outbound file download attempt (malware-cnc.rules)
 * 1:44276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44280 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt (file-office.rules)
 * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules)
 * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44231 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word doc file attachment detected (file-identify.rules)
 * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44283 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44284 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44285 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected  (deleted.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:44289 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44291 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44292 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44293 <-> DISABLED <-> SERVER-OTHER FreeRADIUS data2vp_wimax out of bounds write attempt (server-other.rules)
 * 1:44296 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44275 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:44236 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 3:44250 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44247 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44256 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44297 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0435 attack attempt (server-webapp.rules)
 * 3:44273 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44272 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44271 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44268 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0437 attack attempt (policy-other.rules)
 * 3:44266 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44265 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44245 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44246 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44243 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44244 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44239 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44240 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44238 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44237 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44255 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44264 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44257 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44261 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44262 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44253 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44295 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44258 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44259 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44260 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44263 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44274 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44254 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44267 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0436 attack attempt (policy-other.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44249 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44252 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44251 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44248 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:23115 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt (server-mysql.rules)
 * 1:33110 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33109 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33106 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode (exploit-kit.rules)
 * 1:33112 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33107 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:33108 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33105 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33111 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)

2990

2017-09-06 00:02:04 UTC

Snort Subscriber Rules Update

Date: 2017-09-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules)
 * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44231 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word doc file attachment detected (file-identify.rules)
 * 1:44278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrystalAttack outbound file download attempt (malware-cnc.rules)
 * 1:44236 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:44275 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:44276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:44280 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt (file-office.rules)
 * 1:44281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44283 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44284 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44285 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected  (deleted.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:44289 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44291 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44296 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44292 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44293 <-> DISABLED <-> SERVER-OTHER FreeRADIUS data2vp_wimax out of bounds write attempt (server-other.rules)
 * 1:44277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 3:44250 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44273 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44262 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44263 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44261 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44267 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0436 attack attempt (policy-other.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44256 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44257 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44254 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44253 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44237 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44258 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44238 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44239 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44240 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44274 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44295 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44259 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44243 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44260 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44244 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44246 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44247 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44245 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44264 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44265 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44266 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44255 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44268 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0437 attack attempt (policy-other.rules)
 * 3:44297 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0435 attack attempt (server-webapp.rules)
 * 3:44269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44251 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44252 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44271 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44272 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44249 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44248 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)

Modified Rules:


 * 1:33105 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33110 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33111 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23115 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt (server-mysql.rules)
 * 1:33108 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:33112 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33109 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode (exploit-kit.rules)
 * 1:33107 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33106 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)

29110

2017-09-06 00:02:04 UTC

Snort Subscriber Rules Update

Date: 2017-09-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44296 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44293 <-> DISABLED <-> SERVER-OTHER FreeRADIUS data2vp_wimax out of bounds write attempt (server-other.rules)
 * 1:44292 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44291 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44289 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:44285 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected  (deleted.rules)
 * 1:44284 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44283 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44280 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt (file-office.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:44278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrystalAttack outbound file download attempt (malware-cnc.rules)
 * 1:44277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44275 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:44236 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules)
 * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44231 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word doc file attachment detected (file-identify.rules)
 * 3:44297 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0435 attack attempt (server-webapp.rules)
 * 3:44295 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44274 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44273 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44272 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44271 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44268 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0437 attack attempt (policy-other.rules)
 * 3:44267 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0436 attack attempt (policy-other.rules)
 * 3:44266 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44265 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44264 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44263 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44262 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44261 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44260 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44259 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44258 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44257 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44237 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44238 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44256 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44239 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44240 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44255 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44243 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44244 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44245 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44246 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44253 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44247 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44254 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44252 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44251 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44250 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44249 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44248 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)

Modified Rules:


 * 1:23115 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt (server-mysql.rules)
 * 1:33105 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33106 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33107 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33108 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33109 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33110 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33111 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33112 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode (exploit-kit.rules)