Talos Rules 2019-04-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other and protocol-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-04-12 22:15:28 UTC

Snort Subscriber Rules Update

Date: 2019-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49799 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 1:49800 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 3:49797 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)
 * 3:49798 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:37313 <-> DISABLED <-> FILE-OTHER Multiple products external entity data exfiltration attempt (file-other.rules)
 * 1:24087 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP (malware-cnc.rules)
 * 1:37312 <-> DISABLED <-> FILE-OTHER Mulitple products external entity data exfiltration attempt (file-other.rules)
 * 1:24088 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP (malware-cnc.rules)

2019-04-12 22:15:28 UTC

Snort Subscriber Rules Update

Date: 2019-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49800 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 1:49799 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 3:49797 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)
 * 3:49798 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:37312 <-> DISABLED <-> FILE-OTHER Mulitple products external entity data exfiltration attempt (file-other.rules)
 * 1:37313 <-> DISABLED <-> FILE-OTHER Multiple products external entity data exfiltration attempt (file-other.rules)
 * 1:24088 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP (malware-cnc.rules)
 * 1:24087 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP (malware-cnc.rules)

2019-04-12 22:15:28 UTC

Snort Subscriber Rules Update

Date: 2019-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49800 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 1:49799 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 3:49797 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)
 * 3:49798 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:37313 <-> DISABLED <-> FILE-OTHER Multiple products external entity data exfiltration attempt (file-other.rules)
 * 1:24087 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP (malware-cnc.rules)
 * 1:37312 <-> DISABLED <-> FILE-OTHER Mulitple products external entity data exfiltration attempt (file-other.rules)
 * 1:24088 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP (malware-cnc.rules)

2019-04-12 22:15:28 UTC

Snort Subscriber Rules Update

Date: 2019-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49800 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (snort3-browser-ie.rules)
 * 1:49799 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:24087 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP (snort3-malware-cnc.rules)
 * 1:24088 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP (snort3-malware-cnc.rules)
 * 1:37313 <-> DISABLED <-> FILE-OTHER Multiple products external entity data exfiltration attempt (snort3-file-other.rules)
 * 1:37312 <-> DISABLED <-> FILE-OTHER Mulitple products external entity data exfiltration attempt (snort3-file-other.rules)

2019-04-12 22:15:28 UTC

Snort Subscriber Rules Update

Date: 2019-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49800 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 1:49799 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 3:49798 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)
 * 3:49797 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:37313 <-> DISABLED <-> FILE-OTHER Multiple products external entity data exfiltration attempt (file-other.rules)
 * 1:37312 <-> DISABLED <-> FILE-OTHER Mulitple products external entity data exfiltration attempt (file-other.rules)
 * 1:24087 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP (malware-cnc.rules)
 * 1:24088 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP (malware-cnc.rules)

2019-04-12 22:15:28 UTC

Snort Subscriber Rules Update

Date: 2019-04-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49800 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 1:49799 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MHTML XXE external entity attempt (browser-ie.rules)
 * 3:49797 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)
 * 3:49798 <-> ENABLED <-> PROTOCOL-OTHER TRUFFLEHUNTER TALOS-2019-0798 attack attempt (protocol-other.rules)

Modified Rules:


 * 1:24087 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP (malware-cnc.rules)
 * 1:37313 <-> DISABLED <-> FILE-OTHER Multiple products external entity data exfiltration attempt (file-other.rules)
 * 1:24088 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP (malware-cnc.rules)
 * 1:37312 <-> DISABLED <-> FILE-OTHER Mulitple products external entity data exfiltration attempt (file-other.rules)