Talos Rules 2018-08-09
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-08-09 16:56:16 UTC

Snort Subscriber Rules Update

Date: 2018-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47459 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47458 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47473 <-> DISABLED <-> SERVER-WEBAPP Kodi playlist creation persistent cross site scripting attempt (server-webapp.rules)
 * 1:47472 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt (server-webapp.rules)
 * 1:47471 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp picfile arbitrary file upload attempt (server-webapp.rules)
 * 1:47470 <-> DISABLED <-> SERVER-WEBAPP HomeMatic CCU2 remote arbitrary code execution attempt (server-webapp.rules)
 * 1:47469 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47468 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47467 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47463 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47460 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:33600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)

2018-08-09 16:56:16 UTC

Snort Subscriber Rules Update

Date: 2018-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47470 <-> DISABLED <-> SERVER-WEBAPP HomeMatic CCU2 remote arbitrary code execution attempt (server-webapp.rules)
 * 1:47459 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47471 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp picfile arbitrary file upload attempt (server-webapp.rules)
 * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47467 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47460 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47458 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47473 <-> DISABLED <-> SERVER-WEBAPP Kodi playlist creation persistent cross site scripting attempt (server-webapp.rules)
 * 1:47472 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt (server-webapp.rules)
 * 1:47469 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47468 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47463 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)

Modified Rules:


 * 1:33600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)

2018-08-09 16:56:16 UTC

Snort Subscriber Rules Update

Date: 2018-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47472 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt (snort3-server-webapp.rules)
 * 1:47460 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (snort3-server-webapp.rules)
 * 1:47473 <-> DISABLED <-> SERVER-WEBAPP Kodi playlist creation persistent cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules)
 * 1:47467 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (snort3-server-webapp.rules)
 * 1:47468 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (snort3-server-webapp.rules)
 * 1:47463 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (snort3-browser-ie.rules)
 * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (snort3-browser-plugins.rules)
 * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (snort3-browser-plugins.rules)
 * 1:47471 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp picfile arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:47459 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (snort3-server-webapp.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules)
 * 1:47470 <-> DISABLED <-> SERVER-WEBAPP HomeMatic CCU2 remote arbitrary code execution attempt (snort3-server-webapp.rules)
 * 1:47469 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (snort3-server-webapp.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (snort3-server-webapp.rules)
 * 1:47458 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:33600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (snort3-malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (snort3-malware-cnc.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (snort3-server-other.rules)

2018-08-09 16:56:16 UTC

Snort Subscriber Rules Update

Date: 2018-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47460 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47458 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47468 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47470 <-> DISABLED <-> SERVER-WEBAPP HomeMatic CCU2 remote arbitrary code execution attempt (server-webapp.rules)
 * 1:47459 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47471 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp picfile arbitrary file upload attempt (server-webapp.rules)
 * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47473 <-> DISABLED <-> SERVER-WEBAPP Kodi playlist creation persistent cross site scripting attempt (server-webapp.rules)
 * 1:47469 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47472 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt (server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47463 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47467 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:33600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)

2018-08-09 16:56:16 UTC

Snort Subscriber Rules Update

Date: 2018-08-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47470 <-> DISABLED <-> SERVER-WEBAPP HomeMatic CCU2 remote arbitrary code execution attempt (server-webapp.rules)
 * 1:47460 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47459 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47472 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt (server-webapp.rules)
 * 1:47458 <-> DISABLED <-> SERVER-WEBAPP Zyxel EMG2926 command injection attempt (server-webapp.rules)
 * 1:47473 <-> DISABLED <-> SERVER-WEBAPP Kodi playlist creation persistent cross site scripting attempt (server-webapp.rules)
 * 1:47465 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47466 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47467 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47464 <-> ENABLED <-> SERVER-WEBAPP CGit cgit_clone_objects function directory traversal attempt (server-webapp.rules)
 * 1:47468 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47461 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47463 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:47469 <-> DISABLED <-> SERVER-WEBAPP Redaxo CMS addon SQL injection attempt (server-webapp.rules)
 * 1:47462 <-> DISABLED <-> BROWSER-PLUGINS CTSWebProxy ActiveX privilege escalation attempt (browser-plugins.rules)
 * 1:47471 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess gmicons.asp picfile arbitrary file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:33600 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound detected (malware-cnc.rules)
 * 1:44972 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:44973 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ramnit variant outbound connection (malware-cnc.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)