Talos Rules 2019-03-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-office, file-other, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-03-05 14:52:07 UTC

Snort Subscriber Rules Update

Date: 2019-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49326 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation Allen-Bradley PowerMonitor 1000 cross site scripting attempt (server-webapp.rules)
 * 1:49333 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt (os-windows.rules)
 * 1:49329 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)
 * 1:49327 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)
 * 1:49330 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49328 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)

Modified Rules:


 * 1:49295 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49294 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)

2019-03-05 14:52:07 UTC

Snort Subscriber Rules Update

Date: 2019-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49328 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49333 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt (os-windows.rules)
 * 1:49329 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49330 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)
 * 1:49327 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49326 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation Allen-Bradley PowerMonitor 1000 cross site scripting attempt (server-webapp.rules)
 * 1:49332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)

Modified Rules:


 * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49294 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49295 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)

2019-03-05 14:52:07 UTC

Snort Subscriber Rules Update

Date: 2019-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)
 * 1:49331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)
 * 1:49330 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49329 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49328 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49327 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49326 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation Allen-Bradley PowerMonitor 1000 cross site scripting attempt (server-webapp.rules)
 * 1:49333 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt (os-windows.rules)

Modified Rules:


 * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49294 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:49295 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)

2019-03-05 14:52:07 UTC

Snort Subscriber Rules Update

Date: 2019-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49326 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation Allen-Bradley PowerMonitor 1000 cross site scripting attempt (snort3-server-webapp.rules)
 * 1:49333 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt (snort3-os-windows.rules)
 * 1:49327 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:49332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (snort3-malware-cnc.rules)
 * 1:49331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (snort3-malware-cnc.rules)
 * 1:49329 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:49330 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (snort3-malware-cnc.rules)
 * 1:49328 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (snort3-malware-cnc.rules)

Modified Rules:


 * 1:49295 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (snort3-file-pdf.rules)
 * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules)
 * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (snort3-server-webapp.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (snort3-file-office.rules)
 * 1:49294 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (snort3-file-pdf.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (snort3-server-other.rules)

2019-03-05 14:52:07 UTC

Snort Subscriber Rules Update

Date: 2019-03-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49326 <-> DISABLED <-> SERVER-WEBAPP Rockwell Automation Allen-Bradley PowerMonitor 1000 cross site scripting attempt (server-webapp.rules)
 * 1:49332 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)
 * 1:49331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt (malware-cnc.rules)
 * 1:49330 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49328 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49329 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49327 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected (malware-cnc.rules)
 * 1:49333 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt (os-windows.rules)

Modified Rules:


 * 1:49290 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49295 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:49289 <-> ENABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49294 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:49253 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:49254 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word styleWithEffects use-after-free attempt (file-office.rules)
 * 1:48837 <-> DISABLED <-> SERVER-WEBAPP ThinkPHP 5.0.23/5.1.31 command injection attempt (server-webapp.rules)