Talos Rules 2018-10-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-10-30 14:16:43 UTC

Snort Subscriber Rules Update

Date: 2018-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48246 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48245 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48244 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48243 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48242 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48256 <-> DISABLED <-> SERVER-WEBAPP Rubedo CMS Directory Traversal Attempt directory traversal attempt (server-webapp.rules)
 * 1:48252 <-> DISABLED <-> SERVER-WEBAPP Idreamsoft iCMS admincp.php SQL injection attempt (server-webapp.rules)
 * 1:48249 <-> DISABLED <-> SERVER-OTHER GP ProEX WinGP Runtime directory traversal attempt (server-other.rules)
 * 1:48248 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 1:48247 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 3:48255 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0695 attack attempt (server-webapp.rules)
 * 3:48253 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0698 attack attempt (server-webapp.rules)
 * 3:48254 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0696 attack attempt (server-webapp.rules)
 * 3:48250 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0697 attack attempt (server-webapp.rules)
 * 3:48251 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0699 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)

2018-10-30 14:16:43 UTC

Snort Subscriber Rules Update

Date: 2018-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48243 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48246 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48252 <-> DISABLED <-> SERVER-WEBAPP Idreamsoft iCMS admincp.php SQL injection attempt (server-webapp.rules)
 * 1:48249 <-> DISABLED <-> SERVER-OTHER GP ProEX WinGP Runtime directory traversal attempt (server-other.rules)
 * 1:48245 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48244 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48248 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 1:48247 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 1:48256 <-> DISABLED <-> SERVER-WEBAPP Rubedo CMS Directory Traversal Attempt directory traversal attempt (server-webapp.rules)
 * 1:48242 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 3:48253 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0698 attack attempt (server-webapp.rules)
 * 3:48255 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0695 attack attempt (server-webapp.rules)
 * 3:48254 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0696 attack attempt (server-webapp.rules)
 * 3:48251 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0699 attack attempt (server-webapp.rules)
 * 3:48250 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0697 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)

2018-10-30 14:16:43 UTC

Snort Subscriber Rules Update

Date: 2018-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48245 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48244 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48249 <-> DISABLED <-> SERVER-OTHER GP ProEX WinGP Runtime directory traversal attempt (server-other.rules)
 * 1:48246 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48243 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48242 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48252 <-> DISABLED <-> SERVER-WEBAPP Idreamsoft iCMS admincp.php SQL injection attempt (server-webapp.rules)
 * 1:48248 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 1:48256 <-> DISABLED <-> SERVER-WEBAPP Rubedo CMS Directory Traversal Attempt directory traversal attempt (server-webapp.rules)
 * 1:48247 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 3:48250 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0697 attack attempt (server-webapp.rules)
 * 3:48251 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0699 attack attempt (server-webapp.rules)
 * 3:48253 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0698 attack attempt (server-webapp.rules)
 * 3:48254 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0696 attack attempt (server-webapp.rules)
 * 3:48255 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0695 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)

2018-10-30 14:16:43 UTC

Snort Subscriber Rules Update

Date: 2018-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48256 <-> DISABLED <-> SERVER-WEBAPP Rubedo CMS Directory Traversal Attempt directory traversal attempt (snort3-server-webapp.rules)
 * 1:48246 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48245 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:48248 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (snort3-file-pdf.rules)
 * 1:48247 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (snort3-file-pdf.rules)
 * 1:48243 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (snort3-file-other.rules)
 * 1:48249 <-> DISABLED <-> SERVER-OTHER GP ProEX WinGP Runtime directory traversal attempt (snort3-server-other.rules)
 * 1:48242 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (snort3-file-other.rules)
 * 1:48252 <-> DISABLED <-> SERVER-WEBAPP Idreamsoft iCMS admincp.php SQL injection attempt (snort3-server-webapp.rules)
 * 1:48244 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (snort3-browser-ie.rules)

2018-10-30 14:16:43 UTC

Snort Subscriber Rules Update

Date: 2018-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48243 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48244 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48247 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 1:48249 <-> DISABLED <-> SERVER-OTHER GP ProEX WinGP Runtime directory traversal attempt (server-other.rules)
 * 1:48246 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48245 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48256 <-> DISABLED <-> SERVER-WEBAPP Rubedo CMS Directory Traversal Attempt directory traversal attempt (server-webapp.rules)
 * 1:48242 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48252 <-> DISABLED <-> SERVER-WEBAPP Idreamsoft iCMS admincp.php SQL injection attempt (server-webapp.rules)
 * 1:48248 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 3:48254 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0696 attack attempt (server-webapp.rules)
 * 3:48253 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0698 attack attempt (server-webapp.rules)
 * 3:48251 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0699 attack attempt (server-webapp.rules)
 * 3:48255 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0695 attack attempt (server-webapp.rules)
 * 3:48250 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0697 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)

2018-10-30 14:16:43 UTC

Snort Subscriber Rules Update

Date: 2018-10-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48252 <-> DISABLED <-> SERVER-WEBAPP Idreamsoft iCMS admincp.php SQL injection attempt (server-webapp.rules)
 * 1:48249 <-> DISABLED <-> SERVER-OTHER GP ProEX WinGP Runtime directory traversal attempt (server-other.rules)
 * 1:48243 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48247 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 1:48242 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF out of bounds read attempt (file-other.rules)
 * 1:48244 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48245 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 1:48256 <-> DISABLED <-> SERVER-WEBAPP Rubedo CMS Directory Traversal Attempt directory traversal attempt (server-webapp.rules)
 * 1:48248 <-> DISABLED <-> FILE-PDF Foxit Reader TypedArray uninitialized memory disclosure attempt (file-pdf.rules)
 * 1:48246 <-> DISABLED <-> SERVER-WEBAPP Supervene RazDC save_passwd.cgi command injection attempt (server-webapp.rules)
 * 3:48250 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0697 attack attempt (server-webapp.rules)
 * 3:48251 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0699 attack attempt (server-webapp.rules)
 * 3:48255 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0695 attack attempt (server-webapp.rules)
 * 3:48254 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0696 attack attempt (server-webapp.rules)
 * 3:48253 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0698 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:34097 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 1:34098 <-> DISABLED <-> FILE-OTHER Multiple products external entity injection attempt (browser-ie.rules)
 * 3:48178 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0690 attack attempt (server-webapp.rules)