Talos Rules 2018-07-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-executable, file-identify, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-07-05 19:12:10 UTC

Snort Subscriber Rules Update

Date: 2018-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt attempt (server-webapp.rules)

Modified Rules:


 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:25061 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Software Installer MSI binary file magic detected (file-executable.rules)

2018-07-05 19:12:10 UTC

Snort Subscriber Rules Update

Date: 2018-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt attempt (server-webapp.rules)
 * 1:47087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)

Modified Rules:


 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:25061 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Software Installer MSI binary file magic detected (file-executable.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)

2018-07-05 19:12:10 UTC

Snort Subscriber Rules Update

Date: 2018-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt attempt (snort3-server-webapp.rules)
 * 1:47087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (snort3-malware-cnc.rules)
 * 1:47088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (snort3-malware-cnc.rules)
 * 1:47089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (snort3-malware-cnc.rules)
 * 1:47090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (snort3-malware-cnc.rules)
 * 1:47086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (snort3-file-identify.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (snort3-browser-ie.rules)
 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (snort3-browser-ie.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (snort3-file-other.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (snort3-file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (snort3-file-identify.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (snort3-file-other.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (snort3-file-identify.rules)
 * 1:25061 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Software Installer MSI binary file magic detected (snort3-file-executable.rules)

2018-07-05 19:12:10 UTC

Snort Subscriber Rules Update

Date: 2018-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt attempt (server-webapp.rules)
 * 1:47089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)

Modified Rules:


 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:25061 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Software Installer MSI binary file magic detected (file-executable.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)

2018-07-05 19:12:10 UTC

Snort Subscriber Rules Update

Date: 2018-07-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47087 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47088 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47089 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47090 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47086 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt (malware-cnc.rules)
 * 1:47085 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess authentication bypass attempt attempt (server-webapp.rules)

Modified Rules:


 * 1:40650 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:25062 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:25516 <-> ENABLED <-> FILE-IDENTIFY Microsoft Software Installer MSI binary file magic detected (file-identify.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:43481 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:40649 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Chakra.dll proxy object prototype return type confusion attempt (browser-ie.rules)
 * 1:25061 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Software Installer MSI binary file magic detected (file-executable.rules)
 * 1:23707 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:16474 <-> ENABLED <-> FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected (file-identify.rules)
 * 1:43482 <-> DISABLED <-> FILE-OTHER Vim modelines remote command execution attempt (file-other.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)