Snort - Network Intrusion Detection & Prevention System

Talos Rules 2018-08-02

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, policy-other, protocol-voip, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

3000

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (snort3-malware-cnc.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (snort3-malware-cnc.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (snort3-pua-adware.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (snort3-server-webapp.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (snort3-server-webapp.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (snort3-policy-other.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (snort3-server-webapp.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (snort3-server-webapp.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (snort3-file-other.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (snort3-malware-cnc.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (snort3-pua-adware.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (snort3-server-webapp.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (snort3-server-other.rules)

29110

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)

29111

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)

2990

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)

2983

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)