Talos Rules 2017-01-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, file-flash, file-office, file-pdf and protocol-voip rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-01-26 16:28:13 UTC

Snort Subscriber Rules Update

Date: 2017-01-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41416 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader image cache use after free attempt (file-pdf.rules)
 * 1:41417 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader image cache use after free attempt (file-pdf.rules)
 * 1:41413 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 1:41414 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 3:41415 <-> ENABLED <-> PROTOCOL-VOIP Cisco Expressway and TelePresence VCS denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:35642 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt (file-flash.rules)
 * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules)
 * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules)
 * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules)
 * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules)
 * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38382 <-> DISABLED <-> BROWSER-OTHER ICY HTTP version evasion attempt (browser-other.rules)
 * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules)
 * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:35643 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt (file-flash.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)

2017-01-26 16:28:12 UTC

Snort Subscriber Rules Update

Date: 2017-01-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41417 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader image cache use after free attempt (file-pdf.rules)
 * 1:41416 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader image cache use after free attempt (file-pdf.rules)
 * 1:41414 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 1:41413 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 3:41415 <-> ENABLED <-> PROTOCOL-VOIP Cisco Expressway and TelePresence VCS denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules)
 * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules)
 * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules)
 * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules)
 * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules)
 * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules)
 * 1:38382 <-> DISABLED <-> BROWSER-OTHER ICY HTTP version evasion attempt (browser-other.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)
 * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules)
 * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:35643 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt (file-flash.rules)
 * 1:35642 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt (file-flash.rules)

2017-01-26 16:28:13 UTC

Snort Subscriber Rules Update

Date: 2017-01-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41411 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41412 <-> ENABLED <-> FILE-FLASH Adobe Flash Player custom toString function attempt (file-flash.rules)
 * 1:41413 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 1:41414 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 1:41416 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader image cache use after free attempt (file-pdf.rules)
 * 1:41417 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader image cache use after free attempt (file-pdf.rules)
 * 3:41415 <-> ENABLED <-> PROTOCOL-VOIP Cisco Expressway and TelePresence VCS denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38637 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38382 <-> DISABLED <-> BROWSER-OTHER ICY HTTP version evasion attempt (browser-other.rules)
 * 1:38394 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip invalid extra field evasion attempt (indicator-obfuscation.rules)
 * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)
 * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header illegal character prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:35643 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt (file-flash.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:35642 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative previously set SharedObject variable set attempt (file-flash.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION Multiple Encodings header evasion attempt (indicator-obfuscation.rules)
 * 1:38678 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:38679 <-> DISABLED <-> INDICATOR-OBFUSCATION non HTTP 1.1 version with 1.1 headers evasion attempt (indicator-obfuscation.rules)
 * 1:40250 <-> DISABLED <-> INDICATOR-OBFUSCATION Chunked encoding used without HTTP 1.1 evasion attempt. (indicator-obfuscation.rules)
 * 1:38734 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header value without key evasion attempt (indicator-obfuscation.rules)
 * 1:39323 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with invalid CRC16 evasion attempt (indicator-obfuscation.rules)
 * 1:38642 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 301 response evasion attempt (indicator-obfuscation.rules)
 * 1:39321 <-> DISABLED <-> INDICATOR-OBFUSCATION Gzip encoded with reserved bit set evasion attempt (indicator-obfuscation.rules)
 * 1:38667 <-> DISABLED <-> INDICATOR-OBFUSCATION Mixed case encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38677 <-> DISABLED <-> INDICATOR-OBFUSCATION UTF-8 evasion attempt (indicator-obfuscation.rules)
 * 1:39320 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)