Snort - Network Intrusion Detection & Prevention System

Talos Rules 2017-10-03

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, protocol-dns, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2017-10-03 16:04:18 UTC

Snort Subscriber Rules Update

Date: 2017-10-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44471 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44469 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44470 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44472 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules)
 * 1:44468 <-> DISABLED <-> SERVER-OTHER SAP Netweaver Dynpro Engine denial of service attempt (server-other.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:44476 <-> DISABLED <-> PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected (pua-adware.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:44479 <-> DISABLED <-> PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt (protocol-dns.rules)
 * 1:44477 <-> DISABLED <-> SERVER-OTHER dnsmasq dhcp6_maybe_relay stack buffer overflow attempt (server-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44481 <-> DISABLED <-> SERVER-OTHER dnsmasq IPv6 heap overflow attempt (server-other.rules)
 * 1:44480 <-> DISABLED <-> SERVER-OTHER dnsmasq Relay-forw information leak attempt (server-other.rules)

Modified Rules:


 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)

2990

2017-10-03 16:04:18 UTC

Snort Subscriber Rules Update

Date: 2017-10-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44469 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44471 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44472 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44470 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules)
 * 1:44476 <-> DISABLED <-> PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected (pua-adware.rules)
 * 1:44477 <-> DISABLED <-> SERVER-OTHER dnsmasq dhcp6_maybe_relay stack buffer overflow attempt (server-other.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:44468 <-> DISABLED <-> SERVER-OTHER SAP Netweaver Dynpro Engine denial of service attempt (server-other.rules)
 * 1:44482 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt (protocol-dns.rules)
 * 1:44480 <-> DISABLED <-> SERVER-OTHER dnsmasq Relay-forw information leak attempt (server-other.rules)
 * 1:44481 <-> DISABLED <-> SERVER-OTHER dnsmasq IPv6 heap overflow attempt (server-other.rules)
 * 1:44479 <-> DISABLED <-> PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt (protocol-dns.rules)
 * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)

29110

2017-10-03 16:04:18 UTC

Snort Subscriber Rules Update

Date: 2017-10-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44482 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader integer underflow attempt (protocol-dns.rules)
 * 1:44481 <-> DISABLED <-> SERVER-OTHER dnsmasq IPv6 heap overflow attempt (server-other.rules)
 * 1:44480 <-> DISABLED <-> SERVER-OTHER dnsmasq Relay-forw information leak attempt (server-other.rules)
 * 1:44479 <-> DISABLED <-> PROTOCOL-DNS dnsmasq overly large DNS query denial of service attempt (protocol-dns.rules)
 * 1:44478 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:44477 <-> DISABLED <-> SERVER-OTHER dnsmasq dhcp6_maybe_relay stack buffer overflow attempt (server-other.rules)
 * 1:44476 <-> DISABLED <-> PUA-ADWARE Win.Adware.OutBrowse variant outbound connection detected (pua-adware.rules)
 * 1:44475 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection (malware-other.rules)
 * 1:44474 <-> DISABLED <-> MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection (malware-other.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:44472 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44471 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance upgrade_handle.php command injection attempt (server-webapp.rules)
 * 1:44470 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44469 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:44468 <-> DISABLED <-> SERVER-OTHER SAP Netweaver Dynpro Engine denial of service attempt (server-other.rules)
 * 1:44467 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44466 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)
 * 1:44465 <-> DISABLED <-> SERVER-WEBAPP Fibaro Home Center liliSetDeviceCommand.php command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:20242 <-> DISABLED <-> PROTOCOL-DNS Oracle Secure Backup observice.exe dns response overflow attempt (protocol-dns.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:26576 <-> DISABLED <-> MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt (malware-cnc.rules)
 * 1:40832 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt (malware-cnc.rules)
 * 1:40836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt (malware-cnc.rules)