Snort - Network Intrusion Detection & Prevention System

Talos Rules 2018-05-01

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-image, file-pdf, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)

Modified Rules:


 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)

2990

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)

Modified Rules:


 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)

3000

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (snort3-server-other.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (snort3-os-windows.rules)
 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (snort3-os-windows.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (snort3-server-other.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (snort3-deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (snort3-server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)

29110

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)

29111

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)

Modified Rules:


 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)