Talos Rules 2019-04-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-other, malware-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-04-23 13:54:16 UTC

Snort Subscriber Rules Update

Date: 2019-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49885 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:49899 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence and XML Publisher XML external entity injection attempt (server-webapp.rules)
 * 1:49898 <-> ENABLED <-> SERVER-WEBAPP Zimbra SSRF privilege escalation attempt (server-webapp.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49892 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49891 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49889 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49888 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49887 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49886 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 3:49894 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49895 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49896 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)
 * 3:49897 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)

Modified Rules:


 * 1:27245 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:34064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:34065 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)

2019-04-23 13:54:16 UTC

Snort Subscriber Rules Update

Date: 2019-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49899 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence and XML Publisher XML external entity injection attempt (server-webapp.rules)
 * 1:49886 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49891 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49887 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49885 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:49892 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49889 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49898 <-> ENABLED <-> SERVER-WEBAPP Zimbra SSRF privilege escalation attempt (server-webapp.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49888 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 3:49894 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49895 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49896 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)
 * 3:49897 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)

Modified Rules:


 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:27245 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:34064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:34065 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)

2019-04-23 13:54:16 UTC

Snort Subscriber Rules Update

Date: 2019-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49885 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:49886 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49887 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49892 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49891 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49899 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence and XML Publisher XML external entity injection attempt (server-webapp.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49888 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49889 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49898 <-> ENABLED <-> SERVER-WEBAPP Zimbra SSRF privilege escalation attempt (server-webapp.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 3:49894 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49895 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49896 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)
 * 3:49897 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)

Modified Rules:


 * 1:34064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:27245 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:34065 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)

2019-04-23 13:54:16 UTC

Snort Subscriber Rules Update

Date: 2019-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49887 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (snort3-browser-ie.rules)
 * 1:49888 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (snort3-malware-other.rules)
 * 1:49889 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (snort3-malware-other.rules)
 * 1:49885 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (snort3-server-apache.rules)
 * 1:49886 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (snort3-browser-ie.rules)
 * 1:49898 <-> ENABLED <-> SERVER-WEBAPP Zimbra SSRF privilege escalation attempt (snort3-server-webapp.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)
 * 1:49891 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)
 * 1:49892 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)
 * 1:49899 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence and XML Publisher XML external entity injection attempt (snort3-server-webapp.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (snort3-server-other.rules)

Modified Rules:


 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (snort3-file-other.rules)
 * 1:34065 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (snort3-browser-ie.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (snort3-server-webapp.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (snort3-browser-ie.rules)
 * 1:34064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (snort3-browser-ie.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (snort3-browser-ie.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (snort3-server-webapp.rules)
 * 1:27245 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (snort3-server-apache.rules)

2019-04-23 13:54:16 UTC

Snort Subscriber Rules Update

Date: 2019-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49899 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence and XML Publisher XML external entity injection attempt (server-webapp.rules)
 * 1:49892 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49891 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49889 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49885 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:49898 <-> ENABLED <-> SERVER-WEBAPP Zimbra SSRF privilege escalation attempt (server-webapp.rules)
 * 1:49886 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49887 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49888 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 3:49894 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49895 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49896 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)
 * 3:49897 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)

Modified Rules:


 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:34064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:34065 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:27245 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)

2019-04-23 13:54:16 UTC

Snort Subscriber Rules Update

Date: 2019-04-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49892 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49899 <-> DISABLED <-> SERVER-WEBAPP Oracle Business Intelligence and XML Publisher XML external entity injection attempt (server-webapp.rules)
 * 1:49887 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49886 <-> DISABLED <-> BROWSER-IE Microsoft Windows IOleCvt interface use attempt (browser-ie.rules)
 * 1:49898 <-> ENABLED <-> SERVER-WEBAPP Zimbra SSRF privilege escalation attempt (server-webapp.rules)
 * 1:49893 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49891 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49890 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:49889 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 1:49885 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:49888 <-> ENABLED <-> MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt (malware-other.rules)
 * 3:49894 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49895 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0812 attack attempt (file-other.rules)
 * 3:49896 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)
 * 3:49897 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0813 attack attempt (file-other.rules)

Modified Rules:


 * 1:49864 <-> DISABLED <-> FILE-OTHER Multiple Products XML external entity information disclosure attempt (file-other.rules)
 * 1:49527 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare deprecated function access attempt (server-webapp.rules)
 * 1:49528 <-> DISABLED <-> SERVER-WEBAPP WordPress SocialWarfare plugin stored cross site scripting attempt (server-webapp.rules)
 * 1:27245 <-> ENABLED <-> SERVER-APACHE Apache Struts2 remote code execution attempt (server-apache.rules)
 * 1:34064 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:34065 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)