Talos Rules 2019-04-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (snort3-indicator-compromise.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (snort3-server-webapp.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (snort3-indicator-compromise.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (snort3-file-other.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (snort3-server-other.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (snort3-file-flash.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (snort3-server-other.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (snort3-server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (snort3-server-webapp.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (snort3-sql.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (snort3-file-flash.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (snort3-file-other.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (snort3-malware-cnc.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (snort3-server-other.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (snort3-malware-cnc.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (snort3-server-webapp.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (snort3-file-flash.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (snort3-server-webapp.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (snort3-sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)