Talos Rules 2017-01-31
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, deleted, file-executable, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other, protocol-dns, server-iis, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-01-31 21:29:16 UTC

Snort Subscriber Rules Update

Date: 2017-01-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41486 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41485 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41484 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41483 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41482 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41481 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41480 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41479 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - result (malware-cnc.rules)
 * 1:41477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibrio file download - 4g3vg334 (malware-cnc.rules)
 * 1:41476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - 987t67g (malware-cnc.rules)
 * 1:41475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41473 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41472 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41465 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41464 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41463 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41462 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41457 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41456 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41453 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:41452 <-> ENABLED <-> MALWARE-CNC Swf.Tool.Agent flash file in a word document uploading system capabilities (malware-cnc.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules)
 * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules)
 * 1:41445 <-> DISABLED <-> SERVER-OTHER QNAP remote buffer overflow attempt (server-other.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection attempt (malware-cnc.rules)
 * 1:41441 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - X-Mas (blacklist.rules)
 * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41439 <-> ENABLED <-> MALWARE-CNC Dos.Tool.LOIC variant IRC command detected (malware-cnc.rules)
 * 1:41438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41433 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41432 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41431 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41430 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41429 <-> DISABLED <-> DELETED d4540486-7de3-432c-98f8-acec00e73c0e (deleted.rules)
 * 1:41428 <-> DISABLED <-> DELETED 7232f6e9-fa36-4db1-9afe-e60b0773be70 (deleted.rules)
 * 1:41427 <-> DISABLED <-> DELETED 4487139a-1bbc-4d99-b624-66c64fa6c17e (deleted.rules)
 * 1:41426 <-> DISABLED <-> DELETED c01c302e-569e-442b-91e9-d5b704fc185a (deleted.rules)
 * 1:41425 <-> DISABLED <-> DELETED d1b67879-1a2c-4dbc-a10e-762d2285e112 (deleted.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41423 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41422 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 3:41447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41466 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0278 attack attempt (server-other.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41470 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41471 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:13472 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:17648 <-> DISABLED <-> SERVER-IIS source code disclosure attempt (server-iis.rules)
 * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules)
 * 1:21817 <-> DISABLED <-> PROTOCOL-DNS excessive queries of type ANY - potential DoS (protocol-dns.rules)
 * 1:32717 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:32716 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:41338 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41339 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41340 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41341 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:13474 <-> DISABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)

2017-01-31 21:29:16 UTC

Snort Subscriber Rules Update

Date: 2017-01-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules)
 * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules)
 * 1:41445 <-> DISABLED <-> SERVER-OTHER QNAP remote buffer overflow attempt (server-other.rules)
 * 1:41423 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41422 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41425 <-> DISABLED <-> DELETED d1b67879-1a2c-4dbc-a10e-762d2285e112 (deleted.rules)
 * 1:41427 <-> DISABLED <-> DELETED 4487139a-1bbc-4d99-b624-66c64fa6c17e (deleted.rules)
 * 1:41428 <-> DISABLED <-> DELETED 7232f6e9-fa36-4db1-9afe-e60b0773be70 (deleted.rules)
 * 1:41430 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41429 <-> DISABLED <-> DELETED d4540486-7de3-432c-98f8-acec00e73c0e (deleted.rules)
 * 1:41432 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41426 <-> DISABLED <-> DELETED c01c302e-569e-442b-91e9-d5b704fc185a (deleted.rules)
 * 1:41431 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41433 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41439 <-> ENABLED <-> MALWARE-CNC Dos.Tool.LOIC variant IRC command detected (malware-cnc.rules)
 * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41441 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - X-Mas (blacklist.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection attempt (malware-cnc.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41452 <-> ENABLED <-> MALWARE-CNC Swf.Tool.Agent flash file in a word document uploading system capabilities (malware-cnc.rules)
 * 1:41453 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41456 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41457 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41462 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41463 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41464 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41486 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41485 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41484 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41483 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41482 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41481 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41480 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41479 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - result (malware-cnc.rules)
 * 1:41477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibrio file download - 4g3vg334 (malware-cnc.rules)
 * 1:41475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - 987t67g (malware-cnc.rules)
 * 1:41474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41465 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41472 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41473 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 3:41470 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41471 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41466 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0278 attack attempt (server-other.rules)
 * 3:41447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)

Modified Rules:


 * 1:41340 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:41341 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:21817 <-> DISABLED <-> PROTOCOL-DNS excessive queries of type ANY - potential DoS (protocol-dns.rules)
 * 1:13472 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules)
 * 1:32716 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:32717 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41339 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41338 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:13474 <-> DISABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 1:17648 <-> DISABLED <-> SERVER-IIS source code disclosure attempt (server-iis.rules)
 * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)

2017-01-31 21:29:16 UTC

Snort Subscriber Rules Update

Date: 2017-01-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41426 <-> DISABLED <-> DELETED c01c302e-569e-442b-91e9-d5b704fc185a (deleted.rules)
 * 1:41425 <-> DISABLED <-> DELETED d1b67879-1a2c-4dbc-a10e-762d2285e112 (deleted.rules)
 * 1:41481 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41480 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41462 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41432 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41430 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41431 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41428 <-> DISABLED <-> DELETED 7232f6e9-fa36-4db1-9afe-e60b0773be70 (deleted.rules)
 * 1:41429 <-> DISABLED <-> DELETED d4540486-7de3-432c-98f8-acec00e73c0e (deleted.rules)
 * 1:41427 <-> DISABLED <-> DELETED 4487139a-1bbc-4d99-b624-66c64fa6c17e (deleted.rules)
 * 1:41418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibrio file download - 4g3vg334 (malware-cnc.rules)
 * 1:41486 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41422 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41479 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41482 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41483 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41484 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - result (malware-cnc.rules)
 * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41433 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41423 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41439 <-> ENABLED <-> MALWARE-CNC Dos.Tool.LOIC variant IRC command detected (malware-cnc.rules)
 * 1:41441 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - X-Mas (blacklist.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection attempt (malware-cnc.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41445 <-> DISABLED <-> SERVER-OTHER QNAP remote buffer overflow attempt (server-other.rules)
 * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules)
 * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41452 <-> ENABLED <-> MALWARE-CNC Swf.Tool.Agent flash file in a word document uploading system capabilities (malware-cnc.rules)
 * 1:41453 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41456 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41457 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41485 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - 987t67g (malware-cnc.rules)
 * 1:41464 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41463 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41473 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41472 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41465 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 3:41448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41471 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41470 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41466 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0278 attack attempt (server-other.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:41447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)

Modified Rules:


 * 1:32717 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41338 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:13472 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules)
 * 1:21817 <-> DISABLED <-> PROTOCOL-DNS excessive queries of type ANY - potential DoS (protocol-dns.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:41341 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:17648 <-> DISABLED <-> SERVER-IIS source code disclosure attempt (server-iis.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:32716 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:13474 <-> DISABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 1:41339 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41340 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)