Snort - Network Intrusion Detection & Prevention System

Talos Rules 2017-09-26

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-identify, file-image, file-office, file-other, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2017-09-26 13:29:08 UTC

Snort Subscriber Rules Update

Date: 2017-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Popureb variant outbound connection detected (malware-cnc.rules)
 * 1:44450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat variant outbount connection detected (malware-cnc.rules)
 * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44441 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44439 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44440 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Poison (blacklist.rules)
 * 1:44442 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44438 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules)
 * 3:44444 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44446 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44419 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0445 attack attempt (protocol-scada.rules)
 * 3:44426 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44427 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44421 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44449 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44425 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44422 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44423 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0444 attack attempt (policy-other.rules)
 * 3:44420 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0440 attack attempt (protocol-scada.rules)
 * 3:44424 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44429 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44445 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44428 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)

Modified Rules:


 * 3:44318 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)
 * 3:44319 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)

2990

2017-09-26 13:29:08 UTC

Snort Subscriber Rules Update

Date: 2017-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Popureb variant outbound connection detected (malware-cnc.rules)
 * 1:44450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat variant outbount connection detected (malware-cnc.rules)
 * 1:44441 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44442 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44439 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44440 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Poison (blacklist.rules)
 * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44438 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules)
 * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 3:44419 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0445 attack attempt (protocol-scada.rules)
 * 3:44420 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0440 attack attempt (protocol-scada.rules)
 * 3:44421 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44422 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44423 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0444 attack attempt (policy-other.rules)
 * 3:44444 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44427 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44445 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44424 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44425 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44446 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44449 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44426 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44428 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44429 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)

Modified Rules:


 * 3:44318 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)
 * 3:44319 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)

29110

2017-09-26 13:29:08 UTC

Snort Subscriber Rules Update

Date: 2017-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat variant outbount connection detected (malware-cnc.rules)
 * 1:44443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Popureb variant outbound connection detected (malware-cnc.rules)
 * 1:44442 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44441 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44440 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Poison (blacklist.rules)
 * 1:44439 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44438 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 3:44427 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44449 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44446 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44419 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0445 attack attempt (protocol-scada.rules)
 * 3:44420 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0440 attack attempt (protocol-scada.rules)
 * 3:44421 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44422 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44423 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0444 attack attempt (policy-other.rules)
 * 3:44424 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44425 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44426 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44445 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44444 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44429 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44428 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)

Modified Rules:


 * 3:44318 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)
 * 3:44319 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)