Talos Rules 2017-04-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, indicator-shellcode, malware-cnc, malware-tools, protocol-scada, server-webapp and x11 rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-04-04 16:39:23 UTC

Snort Subscriber Rules Update

Date: 2017-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection attempt (malware-cnc.rules)
 * 1:42117 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42115 <-> DISABLED <-> DELETED MALWARE-TOOLS TESTING RULE (deleted.rules)
 * 1:42116 <-> DISABLED <-> DELETED MALWARE-TOOLS TESTING RULE (deleted.rules)
 * 1:42121 <-> DISABLED <-> SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt (server-webapp.rules)
 * 1:42119 <-> DISABLED <-> SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt (server-webapp.rules)
 * 1:42122 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42123 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42118 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42120 <-> DISABLED <-> SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt (server-webapp.rules)
 * 1:42127 <-> DISABLED <-> PROTOCOL-SCADA Eaton Network Pi3Web DOS attempt (protocol-scada.rules)
 * 1:42124 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42125 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:1390 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ebx NOOP (indicator-shellcode.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool  (malware-tools.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)

2017-04-04 16:39:23 UTC

Snort Subscriber Rules Update

Date: 2017-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42125 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42122 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42117 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42120 <-> DISABLED <-> SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt (server-webapp.rules)
 * 1:42119 <-> DISABLED <-> SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt (server-webapp.rules)
 * 1:42124 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42115 <-> DISABLED <-> DELETED MALWARE-TOOLS TESTING RULE (deleted.rules)
 * 1:42123 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42116 <-> DISABLED <-> DELETED MALWARE-TOOLS TESTING RULE (deleted.rules)
 * 1:42121 <-> DISABLED <-> SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt (server-webapp.rules)
 * 1:42127 <-> DISABLED <-> PROTOCOL-SCADA Eaton Network Pi3Web DOS attempt (protocol-scada.rules)
 * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection attempt (malware-cnc.rules)
 * 1:42118 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)

Modified Rules:


 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:1390 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ebx NOOP (indicator-shellcode.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool  (malware-tools.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)

2017-04-04 16:39:23 UTC

Snort Subscriber Rules Update

Date: 2017-04-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42127 <-> DISABLED <-> PROTOCOL-SCADA Eaton Network Pi3Web DOS attempt (protocol-scada.rules)
 * 1:42126 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Acronym variant outbound connection attempt (malware-cnc.rules)
 * 1:42125 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42124 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42123 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42122 <-> DISABLED <-> BROWSER-PLUGINS Invensys Wonderware Archestra ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42121 <-> DISABLED <-> SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt (server-webapp.rules)
 * 1:42120 <-> DISABLED <-> SERVER-WEBAPP Dahua IP Camera username and password disclosure attempt (server-webapp.rules)
 * 1:42119 <-> DISABLED <-> SERVER-WEBAPP pfSense openvpn_wizard PHP code injection attempt (server-webapp.rules)
 * 1:42118 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42117 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:42116 <-> DISABLED <-> DELETED MALWARE-TOOLS TESTING RULE (deleted.rules)
 * 1:42115 <-> DISABLED <-> DELETED MALWARE-TOOLS TESTING RULE (deleted.rules)

Modified Rules:


 * 1:1225 <-> DISABLED <-> X11 MIT Magic Cookie detected (x11.rules)
 * 1:1390 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ebx NOOP (indicator-shellcode.rules)
 * 1:38993 <-> ENABLED <-> SQL use of sleep function in HTTP header - likely SQL injection attempt (sql.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool  (malware-tools.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)