Talos Rules 2018-09-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-image, file-other, malware-cnc, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-09-27 15:14:48 UTC

Snort Subscriber Rules Update

Date: 2018-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules)
 * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules)
 * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
 * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
 * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules)
 * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
 * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)

Modified Rules:



2018-09-27 15:14:48 UTC

Snort Subscriber Rules Update

Date: 2018-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules)
 * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules)
 * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
 * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
 * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
 * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules)
 * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)

Modified Rules:



2018-09-27 15:14:48 UTC

Snort Subscriber Rules Update

Date: 2018-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (snort3-policy-other.rules)
 * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules)
 * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (snort3-file-image.rules)
 * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (snort3-policy-other.rules)
 * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules)
 * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (snort3-server-other.rules)
 * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (snort3-server-other.rules)
 * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules)
 * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (snort3-malware-cnc.rules)
 * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (snort3-browser-plugins.rules)
 * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules)
 * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules)
 * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (snort3-policy-other.rules)
 * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (snort3-file-image.rules)
 * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (snort3-malware-cnc.rules)
 * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (snort3-file-image.rules)
 * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (snort3-malware-cnc.rules)
 * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (snort3-malware-cnc.rules)

Modified Rules:



2018-09-27 15:14:48 UTC

Snort Subscriber Rules Update

Date: 2018-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules)
 * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules)
 * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
 * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
 * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules)
 * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)

Modified Rules:



2018-09-27 15:14:48 UTC

Snort Subscriber Rules Update

Date: 2018-09-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47896 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47915 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 1:47899 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47910 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47904 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47901 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47898 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47902 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47908 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47903 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47907 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47905 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47906 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CobInt outbound connection (malware-cnc.rules)
 * 1:47900 <-> ENABLED <-> MALWARE-CNC Win.Trojan.OilRig variant outbound connection (malware-cnc.rules)
 * 1:47909 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMR_STRETCHDIBITS out-of-bounds write attempt (file-image.rules)
 * 1:47895 <-> DISABLED <-> BROWSER-PLUGINS Tor Browser 7.x NoScript secure mode bypass attempt (browser-plugins.rules)
 * 1:47911 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 1:47914 <-> ENABLED <-> POLICY-OTHER Magecart js page injection attempt (policy-other.rules)
 * 1:47897 <-> DISABLED <-> SERVER-OTHER Alt-N MDaemon buffer overflow attempt (server-other.rules)
 * 1:47912 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader EMF file JPEG Huffman table heap overflow attempt (file-image.rules)
 * 1:47913 <-> ENABLED <-> POLICY-OTHER Magecart redirect page detected (policy-other.rules)
 * 3:47894 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)
 * 3:47916 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE denial of service attempt (server-webapp.rules)
 * 3:47917 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
 * 3:47919 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS XE NAT SIP application layer gateway denial of service attempt (protocol-voip.rules)
 * 3:47918 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0682 attack attempt (file-other.rules)
 * 3:47893 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI denial of service attempt (server-webapp.rules)

Modified Rules: