Talos Rules 2016-09-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, file-image, file-other, malware-cnc, protocol-scada, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-09-29 15:34:00 UTC

Snort Subscriber Rules Update

Date: 2016-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poxters external connection (malware-cnc.rules)
 * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection attempt (malware-cnc.rules)
 * 1:40291 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules)
 * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection attempt (malware-cnc.rules)
 * 1:40293 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules)
 * 1:40292 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules)
 * 1:40295 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40296 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40297 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40294 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40302 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed Portal cross-site scripting attempt (server-apache.rules)
 * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET buffer overflow attempt (server-other.rules)
 * 3:40304 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules)
 * 3:40303 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules)
 * 3:40299 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules)
 * 3:40300 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules)
 * 3:40298 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed H.450 PER data out of bounds read attempt (protocol-voip.rules)

Modified Rules:


 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)

2016-09-29 15:34:00 UTC

Snort Subscriber Rules Update

Date: 2016-09-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40302 <-> DISABLED <-> SERVER-APACHE Apache Jetspeed Portal cross-site scripting attempt (server-apache.rules)
 * 1:40301 <-> DISABLED <-> SERVER-OTHER Redis CONFIG SET buffer overflow attempt (server-other.rules)
 * 1:40297 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40296 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40295 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40294 <-> DISABLED <-> FILE-IMAGE PHP exif_process_IFD_in_MAKERNOTE out of bounds read attempt (file-image.rules)
 * 1:40293 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules)
 * 1:40292 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules)
 * 1:40291 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess openWidget directory traversal attempt (server-webapp.rules)
 * 1:40290 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection attempt (malware-cnc.rules)
 * 1:40289 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection attempt (malware-cnc.rules)
 * 1:40288 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Poxters external connection (malware-cnc.rules)
 * 3:40300 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules)
 * 3:40304 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules)
 * 3:40303 <-> ENABLED <-> PROTOCOL-SCADA Cisco IOS CIP request parser out of bounds array access attempt (protocol-scada.rules)
 * 3:40298 <-> ENABLED <-> PROTOCOL-VOIP Cisco IOS malformed H.450 PER data out of bounds read attempt (protocol-voip.rules)
 * 3:40299 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0195 attack attempt (file-other.rules)

Modified Rules:


 * 1:34463 <-> DISABLED <-> APP-DETECT TeamViewer remote administration tool outbound connection attempt (app-detect.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco IOS invalid IKE fragment length memory corruption or exhaustion attempt (server-other.rules)