Talos Rules 2017-02-02
Talos is aware of a vulnerability affecting Microsoft Windows.

CVE-2017-0016: A coding deficiency exists in Microsoft Windows SMB that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 41499.

Talos has also added and modified multiple rules in the browser-ie, browser-plugins, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-02-02 22:14:10 UTC

Snort Subscriber Rules Update

Date: 2017-02-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:41498 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.CryptoLocker binary download response attempt (malware-cnc.rules)
 * 1:41497 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41496 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41495 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt (browser-ie.rules)
 * 1:41493 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt (browser-ie.rules)
 * 1:41492 <-> DISABLED <-> BROWSER-PLUGINS NTR Check buffer overflow attempt (browser-plugins.rules)
 * 1:41491 <-> DISABLED <-> BROWSER-PLUGINS NTR Check buffer overflow attempt (browser-plugins.rules)
 * 1:41490 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:41489 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:41488 <-> DISABLED <-> SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt (server-webapp.rules)
 * 1:41410 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt (server-webapp.rules)
 * 3:41487 <-> ENABLED <-> POLICY-OTHER Cisco Prime Home portlet API access detected (policy-other.rules)

Modified Rules:


 * 1:40992 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:16605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt (browser-ie.rules)
 * 1:40312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:40993 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:15126 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt (browser-ie.rules)

2017-02-02 22:14:10 UTC

Snort Subscriber Rules Update

Date: 2017-02-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41496 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41495 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41493 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt (browser-ie.rules)
 * 1:41492 <-> DISABLED <-> BROWSER-PLUGINS NTR Check buffer overflow attempt (browser-plugins.rules)
 * 1:41494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt (browser-ie.rules)
 * 1:41410 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt (server-webapp.rules)
 * 1:41488 <-> DISABLED <-> SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt (server-webapp.rules)
 * 1:41489 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:41497 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41491 <-> DISABLED <-> BROWSER-PLUGINS NTR Check buffer overflow attempt (browser-plugins.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:41498 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.CryptoLocker binary download response attempt (malware-cnc.rules)
 * 1:41490 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 3:41487 <-> ENABLED <-> POLICY-OTHER Cisco Prime Home portlet API access detected (policy-other.rules)

Modified Rules:


 * 1:41450 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:40993 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:40992 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:15126 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt (browser-ie.rules)
 * 1:16605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt (browser-ie.rules)
 * 1:40312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)

2017-02-02 22:14:10 UTC

Snort Subscriber Rules Update

Date: 2017-02-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41498 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.CryptoLocker binary download response attempt (malware-cnc.rules)
 * 1:41496 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41493 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt (browser-ie.rules)
 * 1:41488 <-> DISABLED <-> SERVER-WEBAPP GitHub Enterprise pre-receive-hooks SQL injection attempt (server-webapp.rules)
 * 1:41490 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:41410 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt (server-webapp.rules)
 * 1:41495 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41489 <-> DISABLED <-> SERVER-WEBAPP Sophos Web Security Appliance command injection attempt (server-webapp.rules)
 * 1:41494 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt (browser-ie.rules)
 * 1:41497 <-> ENABLED <-> SERVER-WEBAPP WordPress get_post authentication bypass attempt (server-webapp.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:41491 <-> DISABLED <-> BROWSER-PLUGINS NTR Check buffer overflow attempt (browser-plugins.rules)
 * 1:41492 <-> DISABLED <-> BROWSER-PLUGINS NTR Check buffer overflow attempt (browser-plugins.rules)
 * 3:41487 <-> ENABLED <-> POLICY-OTHER Cisco Prime Home portlet API access detected (policy-other.rules)

Modified Rules:


 * 1:40312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:15126 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested tag memory corruption attempt (browser-ie.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:40992 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:16605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer nested SPAN tag memory corruption attempt (browser-ie.rules)
 * 1:40993 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use after free attempt (browser-ie.rules)