Talos Rules 2019-04-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (snort3-indicator-compromise.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (snort3-server-webapp.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (snort3-indicator-compromise.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (snort3-file-other.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (snort3-server-other.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (snort3-file-flash.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (snort3-server-other.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (snort3-server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (snort3-server-webapp.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (snort3-sql.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (snort3-file-flash.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (snort3-file-other.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (snort3-malware-cnc.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (snort3-server-other.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (snort3-malware-cnc.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (snort3-server-webapp.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (snort3-file-flash.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (snort3-server-webapp.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (snort3-sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (snort3-os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)

2019-04-04 13:51:55 UTC

Snort Subscriber Rules Update

Date: 2019-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49653 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection (malware-cnc.rules)
 * 1:49672 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file upload attempt (server-other.rules)
 * 1:49660 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49675 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49656 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49664 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TSCookie variant outbound connection (malware-cnc.rules)
 * 1:49655 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49654 <-> DISABLED <-> FILE-FLASH Adobe Flash Player PCRE control character denial of service attempt (file-flash.rules)
 * 1:49657 <-> DISABLED <-> INDICATOR-COMPROMISE php web shell upload attempt (indicator-compromise.rules)
 * 1:49661 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49659 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49674 <-> DISABLED <-> FILE-OTHER PHP use after free attempt (file-other.rules)
 * 1:49671 <-> ENABLED <-> INDICATOR-COMPROMISE Script execution from TOR attempt (indicator-compromise.rules)
 * 1:49662 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)
 * 1:49670 <-> ENABLED <-> SERVER-OTHER Hashicorp Consul services API remote code exectuion attempt (server-other.rules)
 * 1:49658 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XFA font size out-of-bounds read attempt (file-pdf.rules)
 * 1:49665 <-> DISABLED <-> SERVER-WEBAPP DirectAdmin admin account creation attempt (server-webapp.rules)
 * 1:49666 <-> ENABLED <-> SQL HTTP URI blind injection attempt (sql.rules)
 * 1:49667 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper command injection attempt (server-webapp.rules)
 * 1:49668 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper deletion of configuration file attempt (server-webapp.rules)
 * 1:49669 <-> DISABLED <-> SERVER-WEBAPP Flexpaper and Flowpaper potential arbitrary file deletion attempt (server-webapp.rules)
 * 1:49673 <-> DISABLED <-> SERVER-OTHER PHP gdImageColorMatch heap buffer overflow file download attempt (server-other.rules)
 * 1:49663 <-> DISABLED <-> SERVER-WEBAPP CMSsite 1.0 SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:49628 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49629 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49630 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)
 * 1:49631 <-> DISABLED <-> OS-WINDOWS Huawei PCManager device driver privilege escalation attempt (os-windows.rules)