Talos Rules 2017-10-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, protocol-dns, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-10-03 16:04:18 UTC

Snort Subscriber Rules Update

Date: 2017-10-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44471 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44469 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44470 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44472 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules)
 * 1:44468 <-> DISABLED <-> SERVER-OTHER SAP Netweaver Dynpro Engine denial of service attempt (server-other.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:44476 <-> DISABLED <-> PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected (pua-adware.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:44479 <-> DISABLED <-> PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt (protocol-dns.rules)
 * 1:44477 <-> DISABLED <-> SERVER-OTHER dnsmasq dhcp6_maybe_relay stack buffer overflow attempt (server-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44481 <-> DISABLED <-> SERVER-OTHER dnsmasq IPv6 heap overflow attempt (server-other.rules)
 * 1:44480 <-> DISABLED <-> SERVER-OTHER dnsmasq Relay-forw information leak attempt (server-other.rules)

Modified Rules:


 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)

2017-10-03 16:04:18 UTC

Snort Subscriber Rules Update

Date: 2017-10-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44469 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44471 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44472 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44470 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules)
 * 1:44476 <-> DISABLED <-> PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected (pua-adware.rules)
 * 1:44477 <-> DISABLED <-> SERVER-OTHER dnsmasq dhcp6_maybe_relay stack buffer overflow attempt (server-other.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:44468 <-> DISABLED <-> SERVER-OTHER SAP Netweaver Dynpro Engine denial of service attempt (server-other.rules)
 * 1:44482 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt (protocol-dns.rules)
 * 1:44480 <-> DISABLED <-> SERVER-OTHER dnsmasq Relay-forw information leak attempt (server-other.rules)
 * 1:44481 <-> DISABLED <-> SERVER-OTHER dnsmasq IPv6 heap overflow attempt (server-other.rules)
 * 1:44479 <-> DISABLED <-> PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt (protocol-dns.rules)
 * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)

2017-10-03 16:04:18 UTC

Snort Subscriber Rules Update

Date: 2017-10-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44482 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt (protocol-dns.rules)
 * 1:44481 <-> DISABLED <-> SERVER-OTHER dnsmasq IPv6 heap overflow attempt (server-other.rules)
 * 1:44480 <-> DISABLED <-> SERVER-OTHER dnsmasq Relay-forw information leak attempt (server-other.rules)
 * 1:44479 <-> DISABLED <-> PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt (protocol-dns.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:44477 <-> DISABLED <-> SERVER-OTHER dnsmasq dhcp6_maybe_relay stack buffer overflow attempt (server-other.rules)
 * 1:44476 <-> DISABLED <-> PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected (pua-adware.rules)
 * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:44472 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44471 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44470 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44469 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44468 <-> DISABLED <-> SERVER-OTHER SAP Netweaver Dynpro Engine denial of service attempt (server-other.rules)
 * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)