Talos Rules 2017-03-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-flash, malware-cnc, malware-other, os-windows, policy-other, protocol-scada, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-03-23 15:47:21 UTC

Snort Subscriber Rules Update

Date: 2017-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42065 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules)
 * 1:42052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules)
 * 1:42050 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules)
 * 1:42053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules)
 * 1:42056 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules)
 * 1:42072 <-> DISABLED <-> SERVER-WEBAPP Aultware pwStore denial of service attempt (server-webapp.rules)
 * 1:42055 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules)
 * 1:42062 <-> DISABLED <-> SERVER-WEBAPP xArrow heap corruption exploitation attempt (server-webapp.rules)
 * 1:42063 <-> DISABLED <-> SERVER-WEBAPP xArrow null pointer denial of service exploitation attempt (server-webapp.rules)
 * 1:42049 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules)
 * 1:42064 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules)
 * 1:42057 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42054 <-> DISABLED <-> PROTOCOL-SCADA Moxa get SNMP read string attempt (protocol-scada.rules)
 * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules)
 * 1:42059 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sage variant outbound connection (malware-cnc.rules)
 * 1:42058 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 3:42071 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui denial of service attempt (server-webapp.rules)
 * 3:42061 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui software upgrade command injection attempt (server-webapp.rules)
 * 3:42069 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE DHCP vendor class identifier format string exploit attempt (server-other.rules)
 * 3:42070 <-> ENABLED <-> SERVER-OTHER Cisco IOS L2TP invalid message digest AVP denial of service attempt (server-other.rules)
 * 3:42060 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP client dummy XID denial of service attempt (server-other.rules)
 * 3:41909 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules)
 * 3:41910 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules)
 * 3:42051 <-> ENABLED <-> SERVER-OTHER Cisco IOS autonomic networking discovery denial of service attempt (server-other.rules)

Modified Rules:


 * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:41660 <-> DISABLED <-> MALWARE-OTHER VBScript potential executable write attempt (malware-other.rules)

2017-03-23 15:47:21 UTC

Snort Subscriber Rules Update

Date: 2017-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules)
 * 1:42056 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules)
 * 1:42055 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules)
 * 1:42054 <-> DISABLED <-> PROTOCOL-SCADA Moxa get SNMP read string attempt (protocol-scada.rules)
 * 1:42057 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42059 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sage variant outbound connection (malware-cnc.rules)
 * 1:42050 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules)
 * 1:42058 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules)
 * 1:42049 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules)
 * 1:42062 <-> DISABLED <-> SERVER-WEBAPP xArrow heap corruption exploitation attempt (server-webapp.rules)
 * 1:42063 <-> DISABLED <-> SERVER-WEBAPP xArrow null pointer denial of service exploitation attempt (server-webapp.rules)
 * 1:42064 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules)
 * 1:42065 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules)
 * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules)
 * 1:42072 <-> DISABLED <-> SERVER-WEBAPP Aultware pwStore denial of service attempt (server-webapp.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 3:42071 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui denial of service attempt (server-webapp.rules)
 * 3:42070 <-> ENABLED <-> SERVER-OTHER Cisco IOS L2TP invalid message digest AVP denial of service attempt (server-other.rules)
 * 3:42061 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui software upgrade command injection attempt (server-webapp.rules)
 * 3:42051 <-> ENABLED <-> SERVER-OTHER Cisco IOS autonomic networking discovery denial of service attempt (server-other.rules)
 * 3:41909 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules)
 * 3:42060 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP client dummy XID denial of service attempt (server-other.rules)
 * 3:41910 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules)
 * 3:42069 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE DHCP vendor class identifier format string exploit attempt (server-other.rules)

Modified Rules:


 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)
 * 1:41660 <-> DISABLED <-> MALWARE-OTHER VBScript potential executable write attempt (malware-other.rules)
 * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)

2017-03-23 15:47:21 UTC

Snort Subscriber Rules Update

Date: 2017-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42072 <-> DISABLED <-> SERVER-WEBAPP Aultware pwStore denial of service attempt (server-webapp.rules)
 * 1:42068 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 default login attempt (policy-other.rules)
 * 1:42067 <-> DISABLED <-> POLICY-OTHER Aviosys IP Power 9258 W2 management.asp information disclosure (policy-other.rules)
 * 1:42066 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin arbitrary file deletion attempt (server-webapp.rules)
 * 1:42065 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules)
 * 1:42064 <-> DISABLED <-> SERVER-OTHER kaskad SCADA daserver heap overflow exploitation attempt (server-other.rules)
 * 1:42063 <-> DISABLED <-> SERVER-WEBAPP xArrow null pointer denial of service exploitation attempt (server-webapp.rules)
 * 1:42062 <-> DISABLED <-> SERVER-WEBAPP xArrow heap corruption exploitation attempt (server-webapp.rules)
 * 1:42059 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Sage variant outbound connection (malware-cnc.rules)
 * 1:42058 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42057 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42056 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules)
 * 1:42055 <-> DISABLED <-> PROTOCOL-SCADA Moxa password retrieval attempt (protocol-scada.rules)
 * 1:42054 <-> DISABLED <-> PROTOCOL-SCADA Moxa get SNMP read string attempt (protocol-scada.rules)
 * 1:42053 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules)
 * 1:42052 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime TVSDK memory corruption attempt (file-flash.rules)
 * 1:42050 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules)
 * 1:42049 <-> DISABLED <-> SERVER-WEBAPP dnaLIMS viewAppletFsa.cgi directory traversal attempt (server-webapp.rules)
 * 3:42070 <-> ENABLED <-> SERVER-OTHER Cisco IOS L2TP invalid message digest AVP denial of service attempt (server-other.rules)
 * 3:42071 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui denial of service attempt (server-webapp.rules)
 * 3:42061 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE webui software upgrade command injection attempt (server-webapp.rules)
 * 3:42069 <-> ENABLED <-> SERVER-OTHER Cisco IOS XE DHCP vendor class identifier format string exploit attempt (server-other.rules)
 * 3:42051 <-> ENABLED <-> SERVER-OTHER Cisco IOS autonomic networking discovery denial of service attempt (server-other.rules)
 * 3:42060 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCP client dummy XID denial of service attempt (server-other.rules)
 * 3:41909 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules)
 * 3:41910 <-> ENABLED <-> SERVER-OTHER Cisco Software Cluster Management Protocol remote code execution attempt (server-other.rules)

Modified Rules:


 * 1:41596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:41660 <-> DISABLED <-> MALWARE-OTHER VBScript potential executable write attempt (malware-other.rules)
 * 1:41595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI invalid EMF cbBitsSrc memory disclosure attempt (os-windows.rules)
 * 1:41499 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt (server-samba.rules)