Talos Rules 2017-03-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-pdf, indicator-compromise, malware-cnc, malware-tools, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-03-02 15:21:30 UTC

Snort Subscriber Rules Update

Date: 2017-03-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41785 <-> DISABLED <-> SERVER-WEBAPP carel plantvisor directory traversal exploitation attempt (server-webapp.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)
 * 1:41779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eye-watch.in - Ratankba (blacklist.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:41776 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41774 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41775 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:41772 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41773 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41777 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41778 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt (protocol-scada.rules)
 * 1:41780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratankba variant outbound connection (malware-cnc.rules)
 * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro TCP DNS query response (malware-cnc.rules)
 * 3:41786 <-> ENABLED <-> SERVER-OTHER Cisco NetFlow Generation Appliance SCTP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:21104 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:40421 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40420 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41692 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux unauthorized authentication token usage attempt (server-webapp.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:40334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)

2017-03-02 15:21:30 UTC

Snort Subscriber Rules Update

Date: 2017-03-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)
 * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratankba variant outbound connection (malware-cnc.rules)
 * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41773 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41775 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41776 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41774 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:41772 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41778 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt (protocol-scada.rules)
 * 1:41785 <-> DISABLED <-> SERVER-WEBAPP carel plantvisor directory traversal exploitation attempt (server-webapp.rules)
 * 1:41787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro TCP DNS query response (malware-cnc.rules)
 * 1:41779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eye-watch.in - Ratankba (blacklist.rules)
 * 1:41777 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 3:41786 <-> ENABLED <-> SERVER-OTHER Cisco NetFlow Generation Appliance SCTP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:41692 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux unauthorized authentication token usage attempt (server-webapp.rules)
 * 1:21104 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:40420 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40421 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)

2017-03-02 15:21:30 UTC

Snort Subscriber Rules Update

Date: 2017-03-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro TCP DNS query response (malware-cnc.rules)
 * 1:41785 <-> DISABLED <-> SERVER-WEBAPP carel plantvisor directory traversal exploitation attempt (server-webapp.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)
 * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratankba variant outbound connection (malware-cnc.rules)
 * 1:41779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eye-watch.in - Ratankba (blacklist.rules)
 * 1:41778 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt (protocol-scada.rules)
 * 1:41777 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41776 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41775 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41774 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41773 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41772 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 3:41786 <-> ENABLED <-> SERVER-OTHER Cisco NetFlow Generation Appliance SCTP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:21104 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:40334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40420 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:40421 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41692 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux unauthorized authentication token usage attempt (server-webapp.rules)