Talos Rules 2019-08-22
This release adds and modifies rules in several categories.

Talos is releasing coverage for CVE-2019-1182 known as DejaBlue.

Rule to detect attacks targeting these vulnerabilities is included in this release and is identified with GID 3, SID 51216.

Talos also has added and modified multiple rules in the browser-webkit, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-22 23:18:43 UTC

Snort Subscriber Rules Update

Date: 2019-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51215 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS zero-length fragments denial of service attempt (server-other.rules)
 * 1:51214 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS bad fragment length denial of service attempt (server-other.rules)
 * 1:51213 <-> DISABLED <-> SERVER-WEBAPP WordPress page-flip-image-gallery plugin arbitrary file upload attempt (server-webapp.rules)
 * 1:51212 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd UDP denial of service attempt (server-other.rules)
 * 1:51211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client Options parsing buffer overflow attempt (os-windows.rules)
 * 1:51210 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51209 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51208 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51207 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 3:51216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:25040 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:25038 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)

2019-08-22 23:18:43 UTC

Snort Subscriber Rules Update

Date: 2019-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51215 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS zero-length fragments denial of service attempt (server-other.rules)
 * 1:51208 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51209 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51212 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd UDP denial of service attempt (server-other.rules)
 * 1:51213 <-> DISABLED <-> SERVER-WEBAPP WordPress page-flip-image-gallery plugin arbitrary file upload attempt (server-webapp.rules)
 * 1:51207 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51210 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client Options parsing buffer overflow attempt (os-windows.rules)
 * 1:51214 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS bad fragment length denial of service attempt (server-other.rules)
 * 3:51216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:25040 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:25038 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)

2019-08-22 23:18:43 UTC

Snort Subscriber Rules Update

Date: 2019-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51209 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51215 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS zero-length fragments denial of service attempt (server-other.rules)
 * 1:51210 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51214 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS bad fragment length denial of service attempt (server-other.rules)
 * 1:51212 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd UDP denial of service attempt (server-other.rules)
 * 1:51208 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51207 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client Options parsing buffer overflow attempt (os-windows.rules)
 * 1:51213 <-> DISABLED <-> SERVER-WEBAPP WordPress page-flip-image-gallery plugin arbitrary file upload attempt (server-webapp.rules)
 * 3:51216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:25040 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:25038 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)

2019-08-22 23:18:43 UTC

Snort Subscriber Rules Update

Date: 2019-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51208 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client Options parsing buffer overflow attempt (os-windows.rules)
 * 1:51214 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS bad fragment length denial of service attempt (server-other.rules)
 * 1:51207 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51215 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS zero-length fragments denial of service attempt (server-other.rules)
 * 1:51210 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51212 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd UDP denial of service attempt (server-other.rules)
 * 1:51213 <-> DISABLED <-> SERVER-WEBAPP WordPress page-flip-image-gallery plugin arbitrary file upload attempt (server-webapp.rules)
 * 1:51209 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 3:51216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:25040 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:25038 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)

2019-08-22 23:18:43 UTC

Snort Subscriber Rules Update

Date: 2019-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51212 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd UDP denial of service attempt (snort3-server-other.rules)
 * 1:51208 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51207 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51213 <-> DISABLED <-> SERVER-WEBAPP WordPress page-flip-image-gallery plugin arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:51214 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS bad fragment length denial of service attempt (snort3-server-other.rules)
 * 1:51209 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client Options parsing buffer overflow attempt (snort3-os-windows.rules)
 * 1:51210 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (snort3-server-webapp.rules)
 * 1:51215 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS zero-length fragments denial of service attempt (snort3-server-other.rules)

Modified Rules:


 * 1:25038 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (snort3-browser-webkit.rules)
 * 1:25040 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (snort3-browser-webkit.rules)

2019-08-22 23:18:43 UTC

Snort Subscriber Rules Update

Date: 2019-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51210 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51214 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS bad fragment length denial of service attempt (server-other.rules)
 * 1:51209 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51215 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS zero-length fragments denial of service attempt (server-other.rules)
 * 1:51213 <-> DISABLED <-> SERVER-WEBAPP WordPress page-flip-image-gallery plugin arbitrary file upload attempt (server-webapp.rules)
 * 1:51207 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client Options parsing buffer overflow attempt (os-windows.rules)
 * 1:51208 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51212 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd UDP denial of service attempt (server-other.rules)
 * 3:51216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:25038 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:25040 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)

2019-08-22 23:18:43 UTC

Snort Subscriber Rules Update

Date: 2019-08-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51215 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS zero-length fragments denial of service attempt (server-other.rules)
 * 1:51209 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51212 <-> DISABLED <-> SERVER-OTHER MIT Kerberos kpasswd UDP denial of service attempt (server-other.rules)
 * 1:51213 <-> DISABLED <-> SERVER-WEBAPP WordPress page-flip-image-gallery plugin arbitrary file upload attempt (server-webapp.rules)
 * 1:51208 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51207 <-> DISABLED <-> SERVER-WEBAPP WordPress default admin theme cross site scripting attempt (server-webapp.rules)
 * 1:51214 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS bad fragment length denial of service attempt (server-other.rules)
 * 1:51210 <-> DISABLED <-> SERVER-WEBAPP Forum Livre busca2.asp cross site scripting attempt (server-webapp.rules)
 * 1:51211 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DHCP client Options parsing buffer overflow attempt (os-windows.rules)
 * 3:51216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RDP DecompressUnchopper integer overflow attempt (os-windows.rules)

Modified Rules:


 * 1:25038 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:25040 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)