Talos Rules 2019-05-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-other, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-05-16 13:27:03 UTC

Snort Subscriber Rules Update

Date: 2019-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules)
 * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules)
 * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)

2019-05-16 13:27:03 UTC

Snort Subscriber Rules Update

Date: 2019-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules)
 * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules)
 * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules)
 * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)

2019-05-16 13:27:03 UTC

Snort Subscriber Rules Update

Date: 2019-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules)
 * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules)
 * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules)
 * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)

2019-05-16 13:27:03 UTC

Snort Subscriber Rules Update

Date: 2019-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (snort3-indicator-obfuscation.rules)
 * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (snort3-malware-cnc.rules)
 * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules)
 * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
 * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
 * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules)
 * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (snort3-indicator-obfuscation.rules)

Modified Rules:


 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)
 * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (snort3-server-webapp.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (snort3-browser-ie.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (snort3-browser-plugins.rules)

2019-05-16 13:27:03 UTC

Snort Subscriber Rules Update

Date: 2019-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules)
 * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules)
 * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules)
 * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)

2019-05-16 13:27:03 UTC

Snort Subscriber Rules Update

Date: 2019-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50130 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:50125 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kpot variant outbound connection (malware-cnc.rules)
 * 1:50127 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50124 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:50128 <-> DISABLED <-> INDICATOR-OBFUSCATION ActiveXObject javascript obfuscation attempt (indicator-obfuscation.rules)
 * 1:50129 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 3:50132 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:49985 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:50133 <-> ENABLED <-> FILE-OTHER Cisco WebEx Network Recording Player memory corruption attempt (file-other.rules)
 * 3:49987 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary file upload to tftpRoot attempt (server-webapp.rules)
 * 3:49986 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure arbitrary JSP file upload attempt (server-webapp.rules)
 * 3:49984 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure SQL injection attempt (server-webapp.rules)
 * 3:50131 <-> ENABLED <-> PROTOCOL-SNMP Cisco Small Business Series Switches SNMP denial of service attempt (protocol-snmp.rules)

Modified Rules:


 * 1:50041 <-> ENABLED <-> SERVER-WEBAPP Jenkins CI Server ASTTest code execution attempt (server-webapp.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:48903 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:48901 <-> DISABLED <-> BROWSER-PLUGINS CA Internet Security Suite XMLSecDB ActiveX function call access (browser-plugins.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 3:46494 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46493 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)
 * 3:46492 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Infrastructure directory traversal attempt (server-webapp.rules)