Talos Rules 2018-11-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-office and malware-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-11-16 21:24:23 UTC

Snort Subscriber Rules Update

Date: 2018-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48426 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48425 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bondupdater outbound cnc connection (malware-cnc.rules)
 * 1:48421 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48420 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)

Modified Rules:



2018-11-16 21:24:23 UTC

Snort Subscriber Rules Update

Date: 2018-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48420 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48421 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bondupdater outbound cnc connection (malware-cnc.rules)
 * 1:48425 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48426 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)

Modified Rules:



2018-11-16 21:24:23 UTC

Snort Subscriber Rules Update

Date: 2018-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bondupdater outbound cnc connection (malware-cnc.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48420 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48426 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48421 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48425 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)

Modified Rules:



2018-11-16 21:24:23 UTC

Snort Subscriber Rules Update

Date: 2018-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48426 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (snort3-file-flash.rules)
 * 1:48421 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (snort3-malware-other.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (snort3-file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (snort3-file-office.rules)
 * 1:48420 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (snort3-malware-other.rules)
 * 1:48425 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (snort3-file-flash.rules)
 * 1:48422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bondupdater outbound cnc connection (snort3-malware-cnc.rules)

Modified Rules:



2018-11-16 21:24:23 UTC

Snort Subscriber Rules Update

Date: 2018-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48426 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48420 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48421 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bondupdater outbound cnc connection (malware-cnc.rules)
 * 1:48425 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)

Modified Rules:



2018-11-16 21:24:23 UTC

Snort Subscriber Rules Update

Date: 2018-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48426 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48425 <-> DISABLED <-> FILE-FLASH Adobe Flash Player AVM type confusion attempt (file-flash.rules)
 * 1:48420 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48422 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bondupdater outbound cnc connection (malware-cnc.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48421 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt (malware-other.rules)

Modified Rules: