Talos Rules 2019-11-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-webkit, indicator-compromise, malware-cnc, os-mobile, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules)
 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules)
 * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules)
 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules)
 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules)
 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules)
 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules)
 * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (snort3-server-webapp.rules)
 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (snort3-browser-chrome.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (snort3-browser-webkit.rules)
 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (snort3-indicator-compromise.rules)
 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (snort3-browser-chrome.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (snort3-browser-chrome.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (snort3-browser-webkit.rules)
 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (snort3-malware-cnc.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (snort3-server-webapp.rules)
 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (snort3-browser-chrome.rules)

Modified Rules:


 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (snort3-protocol-voip.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules)
 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (snort3-malware-cnc.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (snort3-protocol-voip.rules)

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules)
 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)

2019-11-14 14:34:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52251 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52245 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52243 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 1:52252 <-> ENABLED <-> MALWARE-CNC Win.Adware.DomaIQ variant outbound connection (malware-cnc.rules)
 * 1:52249 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52246 <-> ENABLED <-> INDICATOR-COMPROMISE AgentTesla variant outbound connection attempt (indicator-compromise.rules)
 * 1:52250 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.includes information leak attempt (browser-chrome.rules)
 * 1:52248 <-> DISABLED <-> BROWSER-CHROME Google Chrome Javascript V8 Array.indexOf information leak attempt (browser-chrome.rules)
 * 1:52244 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari WebKit handleIntrinsicCall type confusion attempt (browser-webkit.rules)
 * 1:52242 <-> DISABLED <-> SERVER-WEBAPP D-Link DNS-320 ShareCenter command injection attempt (server-webapp.rules)
 * 3:52247 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0510 attack attempt (server-other.rules)

Modified Rules:


 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:52087 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:52091 <-> DISABLED <-> PROTOCOL-VOIP SIP Torture request embedded linear white space in URI attempt (protocol-voip.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:51636 <-> ENABLED <-> MALWARE-CNC Rig exploit kit outbound connection (malware-cnc.rules)