Talos Rules 2017-03-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-image, file-other, indicator-scan, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-03-07 15:20:33 UTC

Snort Subscriber Rules Update

Date: 2017-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41816 <-> DISABLED <-> POLICY-OTHER ElasticSearch cluster health access detected (policy-other.rules)
 * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules)
 * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:41807 <-> DISABLED <-> POLICY-OTHER SSLv3 Client Hello attempt (policy-other.rules)
 * 1:41806 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41805 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41804 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41803 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41798 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41797 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41796 <-> DISABLED <-> POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected (policy-other.rules)
 * 1:41795 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules)
 * 1:41794 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules)
 * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules)
 * 1:41792 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:41791 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:41744 <-> DISABLED <-> POLICY-OTHER Cisco IOS configuration transfer via TFTP detected (policy-other.rules)

2017-03-07 15:20:33 UTC

Snort Subscriber Rules Update

Date: 2017-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41791 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules)
 * 1:41792 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:41794 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules)
 * 1:41796 <-> DISABLED <-> POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected (policy-other.rules)
 * 1:41797 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41798 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41795 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41803 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41804 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41805 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41806 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41807 <-> DISABLED <-> POLICY-OTHER SSLv3 Client Hello attempt (policy-other.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:41816 <-> DISABLED <-> POLICY-OTHER ElasticSearch cluster health access detected (policy-other.rules)
 * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules)
 * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:41744 <-> DISABLED <-> POLICY-OTHER Cisco IOS configuration transfer via TFTP detected (policy-other.rules)

2017-03-07 15:20:33 UTC

Snort Subscriber Rules Update

Date: 2017-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41816 <-> DISABLED <-> POLICY-OTHER ElasticSearch cluster health access detected (policy-other.rules)
 * 1:41799 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41796 <-> DISABLED <-> POLICY-OTHER Cisco IOS privileged user configuration transfer via TFTP detected (policy-other.rules)
 * 1:41795 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules)
 * 1:41814 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules)
 * 1:41793 <-> ENABLED <-> INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response (indicator-scan.rules)
 * 1:41792 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:41791 <-> ENABLED <-> FILE-OTHER Microsoft Office RTF out-of-bounds memory access attempt (file-other.rules)
 * 1:41790 <-> DISABLED <-> SERVER-WEBAPP Brocade Network Advisor CliMonitorReportServlet directory traversal attempt (server-webapp.rules)
 * 1:41815 <-> DISABLED <-> SERVER-WEBAPP NetGain Enterprise Manager arbitrary command execution attempt (server-webapp.rules)
 * 1:41797 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41798 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41800 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41801 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41802 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager Fastback buffer overflow attempt (server-other.rules)
 * 1:41803 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41804 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41805 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41806 <-> DISABLED <-> BROWSER-PLUGINS Elipse E3 ActiveReports ActiveX clsid access attempt (browser-plugins.rules)
 * 1:41807 <-> DISABLED <-> POLICY-OTHER SSLv3 Client Hello attempt (policy-other.rules)
 * 1:41808 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:41811 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41794 <-> DISABLED <-> POLICY-OTHER Cisco IOS SMI imagelist download via TFTP detected (policy-other.rules)
 * 1:41809 <-> DISABLED <-> FILE-IMAGE ImageMagick mvg processing command server side request forgery attempt (file-image.rules)
 * 1:41810 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)
 * 1:41812 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ broker service unauthenticated request attempt (server-other.rules)

Modified Rules:


 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:36677 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:36678 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SVG textbox out of bound memory access attempt (browser-ie.rules)
 * 1:39754 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror exploit kit landing page detected (exploit-kit.rules)
 * 1:40661 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:40662 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.concat type confusion attempt (browser-ie.rules)
 * 1:41744 <-> DISABLED <-> POLICY-OTHER Cisco IOS configuration transfer via TFTP detected (policy-other.rules)