Talos Rules 2017-02-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-office, file-pdf, policy-other, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-02-07 16:13:51 UTC

Snort Subscriber Rules Update

Date: 2017-02-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41519 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux url encoded bracket tag file poisoning attempt (server-webapp.rules)
 * 1:41518 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux bracket tag file poisoning attempt (server-webapp.rules)
 * 1:41517 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux replace tag file poisoning attempt (server-webapp.rules)
 * 1:41516 <-> ENABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux file existence test attempt (server-webapp.rules)
 * 1:41515 <-> ENABLED <-> POLICY-OTHER McAfee Virus Scan Linux outdated version detected (policy-other.rules)
 * 1:41514 <-> ENABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:41513 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (server-webapp.rules)
 * 1:41503 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41502 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41501 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41500 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 3:41505 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0280 attack attempt (server-other.rules)
 * 3:41506 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0280 attack attempt (server-other.rules)
 * 3:41507 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0281 attack attempt (server-other.rules)
 * 3:41508 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0282 attack attempt (server-other.rules)
 * 3:41509 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0283 attack attempt (server-other.rules)
 * 3:41510 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0283 attack attempt (server-other.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)

Modified Rules:


 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:26124 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt (server-webapp.rules)

2017-02-07 16:13:51 UTC

Snort Subscriber Rules Update

Date: 2017-02-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (server-webapp.rules)
 * 1:41503 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41514 <-> ENABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:41502 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41500 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41513 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:41515 <-> ENABLED <-> POLICY-OTHER McAfee Virus Scan Linux outdated version detected (policy-other.rules)
 * 1:41517 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux replace tag file poisoning attempt (server-webapp.rules)
 * 1:41516 <-> ENABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux file existence test attempt (server-webapp.rules)
 * 1:41518 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux bracket tag file poisoning attempt (server-webapp.rules)
 * 1:41501 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41519 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux url encoded bracket tag file poisoning attempt (server-webapp.rules)
 * 3:41509 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0283 attack attempt (server-other.rules)
 * 3:41506 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0280 attack attempt (server-other.rules)
 * 3:41508 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0282 attack attempt (server-other.rules)
 * 3:41507 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0281 attack attempt (server-other.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41510 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0283 attack attempt (server-other.rules)
 * 3:41505 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0280 attack attempt (server-other.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)

Modified Rules:


 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:26124 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt (server-webapp.rules)

2017-02-07 16:13:51 UTC

Snort Subscriber Rules Update

Date: 2017-02-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41502 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41515 <-> ENABLED <-> POLICY-OTHER McAfee Virus Scan Linux outdated version detected (policy-other.rules)
 * 1:41514 <-> ENABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:41518 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux bracket tag file poisoning attempt (server-webapp.rules)
 * 1:41513 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:41503 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41501 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41519 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux url encoded bracket tag file poisoning attempt (server-webapp.rules)
 * 1:41517 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux replace tag file poisoning attempt (server-webapp.rules)
 * 1:41504 <-> DISABLED <-> SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt (server-webapp.rules)
 * 1:41516 <-> ENABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux file existence test attempt (server-webapp.rules)
 * 1:41500 <-> DISABLED <-> BROWSER-PLUGINS NTR ActiveX clsid access attempt (browser-plugins.rules)
 * 3:41506 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0280 attack attempt (server-other.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41508 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0282 attack attempt (server-other.rules)
 * 3:41505 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0280 attack attempt (server-other.rules)
 * 3:41507 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0281 attack attempt (server-other.rules)
 * 3:41509 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0283 attack attempt (server-other.rules)
 * 3:41510 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0283 attack attempt (server-other.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)

Modified Rules:


 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:26124 <-> DISABLED <-> SERVER-WEBAPP Microsoft Office SharePoint cross site scripting attempt (server-webapp.rules)