Talos Rules 2018-07-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-office, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-07-03 14:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47080 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47079 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47078 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)
 * 1:47076 <-> ENABLED <-> MALWARE-CNC Powershell PRB backdoor initial outbound communication attempt (malware-cnc.rules)
 * 1:47073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smokeloader outbound response (malware-cnc.rules)
 * 1:47072 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47071 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules)
 * 1:47069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47066 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:47065 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 1:47083 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47082 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47081 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 3:47074 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)
 * 3:47075 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)

2018-07-03 14:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47080 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47081 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules)
 * 1:47071 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47072 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 1:47082 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47083 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47079 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)
 * 1:47078 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smokeloader outbound response (malware-cnc.rules)
 * 1:47076 <-> ENABLED <-> MALWARE-CNC Powershell PRB backdoor initial outbound communication attempt (malware-cnc.rules)
 * 1:47065 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:47066 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 3:47075 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)
 * 3:47074 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)

2018-07-03 14:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47083 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (snort3-browser-ie.rules)
 * 1:47082 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (snort3-browser-ie.rules)
 * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (snort3-policy-other.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (snort3-malware-cnc.rules)
 * 1:47066 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (snort3-browser-ie.rules)
 * 1:47071 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (snort3-browser-ie.rules)
 * 1:47073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smokeloader outbound response (snort3-malware-cnc.rules)
 * 1:47078 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (snort3-server-webapp.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (snort3-file-office.rules)
 * 1:47069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (snort3-malware-cnc.rules)
 * 1:47076 <-> ENABLED <-> MALWARE-CNC Powershell PRB backdoor initial outbound communication attempt (snort3-malware-cnc.rules)
 * 1:47065 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (snort3-browser-ie.rules)
 * 1:47072 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (snort3-browser-ie.rules)
 * 1:47081 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (snort3-server-webapp.rules)
 * 1:47079 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (snort3-server-webapp.rules)
 * 1:47080 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (snort3-server-webapp.rules)
 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (snort3-malware-other.rules)
 * 1:47068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (snort3-malware-cnc.rules)
 * 1:47067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (snort3-malware-cnc.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (snort3-file-office.rules)

Modified Rules:


 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (snort3-malware-cnc.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (snort3-malware-other.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (snort3-malware-cnc.rules)

2018-07-03 14:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47083 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47072 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47080 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47081 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smokeloader outbound response (malware-cnc.rules)
 * 1:47076 <-> ENABLED <-> MALWARE-CNC Powershell PRB backdoor initial outbound communication attempt (malware-cnc.rules)
 * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules)
 * 1:47069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47066 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)
 * 1:47071 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47082 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47078 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47065 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:47079 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 3:47075 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)
 * 3:47074 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)

2018-07-03 14:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-07-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47066 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:47069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47082 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47081 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47084 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt (malware-cnc.rules)
 * 1:47073 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Smokeloader outbound response (malware-cnc.rules)
 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)
 * 1:47067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47078 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection (malware-cnc.rules)
 * 1:47072 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47065 <-> DISABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:47070 <-> DISABLED <-> POLICY-OTHER Arris VAP2500 default credentials authentication attempt (policy-other.rules)
 * 1:47071 <-> DISABLED <-> BROWSER-IE Microsoft Edge Cross Origin Request Sharing information leak attempt (browser-ie.rules)
 * 1:47083 <-> DISABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:47076 <-> ENABLED <-> MALWARE-CNC Powershell PRB backdoor initial outbound communication attempt (malware-cnc.rules)
 * 1:47080 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 1:47079 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Deep Discovery Email Inspector command injection attempt (server-webapp.rules)
 * 3:47074 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)
 * 3:47075 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0623 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:46807 <-> ENABLED <-> MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter (malware-other.rules)
 * 1:47031 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup LicenseService.pm command injection attempt (server-webapp.rules)
 * 1:46782 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)
 * 1:46783 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt (malware-cnc.rules)