Talos Rules 2017-02-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, malware-cnc, malware-other, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-02-17 00:47:58 UTC

Snort Subscriber Rules Update

Date: 2017-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41659 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules)
 * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection attempt (malware-cnc.rules)
 * 1:41658 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules)
 * 1:41656 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.MagicHound (blacklist.rules)
 * 1:41643 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)
 * 1:41645 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules)
 * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules)
 * 1:41650 <-> DISABLED <-> SERVER-WEBAPP Wordpress Excerpt cross site scripting attempt (server-webapp.rules)
 * 1:41655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound (blacklist.rules)
 * 1:41654 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41652 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41651 <-> DISABLED <-> SERVER-OTHER Schneider Electric ETY Telnet DOS attempt (server-other.rules)
 * 1:41653 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41644 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules)
 * 1:41647 <-> DISABLED <-> POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected (policy-other.rules)
 * 1:41648 <-> DISABLED <-> PROTOCOL-SCADA SCADA Trace Mode DoS attempt (protocol-scada.rules)
 * 1:41649 <-> DISABLED <-> POLICY-OTHER Wordpress Press-This page access detected (policy-other.rules)

Modified Rules:


 * 1:41457 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)

2017-02-17 00:47:58 UTC

Snort Subscriber Rules Update

Date: 2017-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41658 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules)
 * 1:41650 <-> DISABLED <-> SERVER-WEBAPP Wordpress Excerpt cross site scripting attempt (server-webapp.rules)
 * 1:41649 <-> DISABLED <-> POLICY-OTHER Wordpress Press-This page access detected (policy-other.rules)
 * 1:41648 <-> DISABLED <-> PROTOCOL-SCADA SCADA Trace Mode DoS attempt (protocol-scada.rules)
 * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules)
 * 1:41644 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules)
 * 1:41645 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules)
 * 1:41643 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)
 * 1:41653 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound (blacklist.rules)
 * 1:41654 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41651 <-> DISABLED <-> SERVER-OTHER Schneider Electric ETY Telnet DOS attempt (server-other.rules)
 * 1:41656 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.MagicHound (blacklist.rules)
 * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection attempt (malware-cnc.rules)
 * 1:41652 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41647 <-> DISABLED <-> POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected (policy-other.rules)
 * 1:41659 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules)

Modified Rules:


 * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:41457 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)

2017-02-17 00:47:58 UTC

Snort Subscriber Rules Update

Date: 2017-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41659 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules)
 * 1:41658 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected (malware-other.rules)
 * 1:41657 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MagicHound variant outbound connection attempt (malware-cnc.rules)
 * 1:41656 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Trojan.MagicHound (blacklist.rules)
 * 1:41655 <-> ENABLED <-> BLACKLIST DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound (blacklist.rules)
 * 1:41654 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41653 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41652 <-> DISABLED <-> SERVER-WEBAPP Geutebruck IP Camera testaction.cgi command injection attempt (server-webapp.rules)
 * 1:41651 <-> DISABLED <-> SERVER-OTHER Schneider Electric ETY Telnet DOS attempt (server-other.rules)
 * 1:41650 <-> DISABLED <-> SERVER-WEBAPP Wordpress Excerpt cross site scripting attempt (server-webapp.rules)
 * 1:41649 <-> DISABLED <-> POLICY-OTHER Wordpress Press-This page access detected (policy-other.rules)
 * 1:41648 <-> DISABLED <-> PROTOCOL-SCADA SCADA Trace Mode DoS attempt (protocol-scada.rules)
 * 1:41647 <-> DISABLED <-> POLICY-OTHER Piwik Analytics Platform PHP plugin installation detected (policy-other.rules)
 * 1:41646 <-> DISABLED <-> PROTOCOL-SCADA BB-Elec ethernet gateway DOS attempt (protocol-scada.rules)
 * 1:41645 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules)
 * 1:41644 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSprite tag memory corruption attempt (file-flash.rules)
 * 1:41643 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)

Modified Rules:


 * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:41457 <-> DISABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:38483 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:38484 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStyleSheet keyframes out of bounds read attempt (browser-ie.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)