Talos Rules 2017-04-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-04-06 17:04:24 UTC

Snort Subscriber Rules Update

Date: 2017-04-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain update.winappupdater.com - Win.Trojan.Ismdoor (blacklist.rules)
 * 1:42131 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules)
 * 1:42132 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules)
 * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (server-apache.rules)
 * 1:42134 <-> DISABLED <-> SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt (server-webapp.rules)
 * 1:42135 <-> DISABLED <-> SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt (server-webapp.rules)
 * 1:42136 <-> DISABLED <-> SERVER-WEBAPP Infinite Automation Mango Automation info leak attempt (server-webapp.rules)
 * 1:42129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection (malware-cnc.rules)
 * 1:42128 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection (malware-cnc.rules)
 * 3:42147 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0304 attack attempt (file-other.rules)
 * 3:42138 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0302 attack attempt (file-office.rules)
 * 3:42137 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0302 attack attempt (file-office.rules)
 * 3:42139 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:42140 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42146 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0304 attack attempt (file-other.rules)
 * 3:42145 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0301 attack attempt (file-office.rules)
 * 3:42144 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0301 attack attempt (file-office.rules)
 * 3:42141 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42143 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0303 attack attempt (file-other.rules)
 * 3:42142 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0303 attack attempt (file-other.rules)

Modified Rules:


 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:40774 <-> DISABLED <-> FILE-PDF Oracle Outside In Technology remote code execution attempt (file-pdf.rules)
 * 1:39243 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39242 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:37919 <-> ENABLED <-> EXPLOIT-KIT Gong da exploit kit landing page (exploit-kit.rules)
 * 1:40773 <-> DISABLED <-> FILE-PDF Oracle Outside In Technology remote code execution attempt (file-pdf.rules)
 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:41544 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0285 attack attempt (file-office.rules)
 * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:42009 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0295 attack attempt (file-office.rules)
 * 3:42008 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0295 attack attempt (file-office.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41543 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0285 attack attempt (file-office.rules)
 * 3:41765 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0286 attack attempt (file-office.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:41766 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0286 attack attempt (file-office.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:41760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0290 attack attempt (file-office.rules)
 * 3:41759 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0290 attack attempt (file-office.rules)
 * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:39082 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0160 attack attempt (file-office.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:40930 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:40928 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:40932 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:39083 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0160 attack attempt (file-office.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:40927 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40931 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules)
 * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:40929 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:41546 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0284 attack attempt (file-office.rules)
 * 3:41754 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0291 attack attempt (file-office.rules)
 * 3:41545 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0284 attack attempt (file-office.rules)
 * 3:41753 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0291 attack attempt (file-office.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)

2017-04-06 17:04:24 UTC

Snort Subscriber Rules Update

Date: 2017-04-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain update.winappupdater.com - Win.Trojan.Ismdoor (blacklist.rules)
 * 1:42131 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules)
 * 1:42132 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules)
 * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (server-apache.rules)
 * 1:42134 <-> DISABLED <-> SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt (server-webapp.rules)
 * 1:42135 <-> DISABLED <-> SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt (server-webapp.rules)
 * 1:42136 <-> DISABLED <-> SERVER-WEBAPP Infinite Automation Mango Automation info leak attempt (server-webapp.rules)
 * 1:42128 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection (malware-cnc.rules)
 * 1:42129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection (malware-cnc.rules)
 * 3:42145 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0301 attack attempt (file-office.rules)
 * 3:42140 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42146 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0304 attack attempt (file-other.rules)
 * 3:42147 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0304 attack attempt (file-other.rules)
 * 3:42138 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0302 attack attempt (file-office.rules)
 * 3:42139 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:42137 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0302 attack attempt (file-office.rules)
 * 3:42142 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0303 attack attempt (file-other.rules)
 * 3:42143 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0303 attack attempt (file-other.rules)
 * 3:42141 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42144 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0301 attack attempt (file-office.rules)

Modified Rules:


 * 1:40773 <-> DISABLED <-> FILE-PDF Oracle Outside In Technology remote code execution attempt (file-pdf.rules)
 * 1:39242 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:37919 <-> ENABLED <-> EXPLOIT-KIT Gong da exploit kit landing page (exploit-kit.rules)
 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:39243 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:40774 <-> DISABLED <-> FILE-PDF Oracle Outside In Technology remote code execution attempt (file-pdf.rules)
 * 3:41760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0290 attack attempt (file-office.rules)
 * 3:41543 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0285 attack attempt (file-office.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:40931 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40932 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40929 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:40930 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:40927 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40928 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:39082 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0160 attack attempt (file-office.rules)
 * 3:39083 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0160 attack attempt (file-office.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules)
 * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:41544 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0285 attack attempt (file-office.rules)
 * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:41545 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0284 attack attempt (file-office.rules)
 * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:41766 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0286 attack attempt (file-office.rules)
 * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:42009 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0295 attack attempt (file-office.rules)
 * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:41765 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0286 attack attempt (file-office.rules)
 * 3:42008 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0295 attack attempt (file-office.rules)
 * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:41546 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0284 attack attempt (file-office.rules)
 * 3:41759 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0290 attack attempt (file-office.rules)
 * 3:41754 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0291 attack attempt (file-office.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:41753 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0291 attack attempt (file-office.rules)

2017-04-06 17:04:24 UTC

Snort Subscriber Rules Update

Date: 2017-04-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42136 <-> DISABLED <-> SERVER-WEBAPP Infinite Automation Mango Automation info leak attempt (server-webapp.rules)
 * 1:42135 <-> DISABLED <-> SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt (server-webapp.rules)
 * 1:42134 <-> DISABLED <-> SERVER-WEBAPP GE Proficy CimWeb substitute.bcl arbitrary file access attempt (server-webapp.rules)
 * 1:42133 <-> DISABLED <-> SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt (server-apache.rules)
 * 1:42132 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules)
 * 1:42131 <-> DISABLED <-> SERVER-WEBAPP Cambium Networks ePMP 1000 command injection attempt (server-webapp.rules)
 * 1:42130 <-> ENABLED <-> BLACKLIST DNS request for known malware domain update.winappupdater.com - Win.Trojan.Ismdoor (blacklist.rules)
 * 1:42129 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection (malware-cnc.rules)
 * 1:42128 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection (malware-cnc.rules)
 * 3:42141 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42139 <-> ENABLED <-> SERVER-WEBAPP Cisco Wireless LAN Controller denial of service attempt (server-webapp.rules)
 * 3:42140 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42137 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0302 attack attempt (file-office.rules)
 * 3:42138 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0302 attack attempt (file-office.rules)
 * 3:42146 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0304 attack attempt (file-other.rules)
 * 3:42147 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0304 attack attempt (file-other.rules)
 * 3:42145 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0301 attack attempt (file-office.rules)
 * 3:42144 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0301 attack attempt (file-office.rules)
 * 3:42143 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0303 attack attempt (file-other.rules)
 * 3:42142 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0303 attack attempt (file-other.rules)

Modified Rules:


 * 1:40774 <-> DISABLED <-> FILE-PDF Oracle Outside In Technology remote code execution attempt (file-pdf.rules)
 * 1:39566 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:40773 <-> DISABLED <-> FILE-PDF Oracle Outside In Technology remote code execution attempt (file-pdf.rules)
 * 1:39243 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39565 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed tag parsing memory corruption attempt (file-flash.rules)
 * 1:37919 <-> ENABLED <-> EXPLOIT-KIT Gong da exploit kit landing page (exploit-kit.rules)
 * 1:39242 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:42077 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:42076 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0300 attack attempt (file-office.rules)
 * 3:42009 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0295 attack attempt (file-office.rules)
 * 3:42008 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0295 attack attempt (file-office.rules)
 * 3:41766 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0286 attack attempt (file-office.rules)
 * 3:41765 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0286 attack attempt (file-office.rules)
 * 3:41760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0290 attack attempt (file-office.rules)
 * 3:41759 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0290 attack attempt (file-office.rules)
 * 3:41754 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0291 attack attempt (file-office.rules)
 * 3:41753 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0291 attack attempt (file-office.rules)
 * 3:41727 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:41726 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0292 attack attempt (file-office.rules)
 * 3:41704 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:41703 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0197 TALOS-2017-0288 attack attempt (file-office.rules)
 * 3:41546 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0284 attack attempt (file-office.rules)
 * 3:41545 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0284 attack attempt (file-office.rules)
 * 3:41544 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0285 attack attempt (file-office.rules)
 * 3:41543 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0285 attack attempt (file-office.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-2783 attack attempt (file-office.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:40932 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40931 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0209 attack attempt (file-office.rules)
 * 3:40930 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:40929 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0208 attack attempt (file-office.rules)
 * 3:40928 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:40927 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2016-0207 attack attempt (file-office.rules)
 * 3:39083 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0160 attack attempt (file-office.rules)
 * 3:39082 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-CAN-0160 attack attempt (file-office.rules)
 * 3:33587 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:24666 <-> ENABLED <-> FILE-OFFICE Excel invalid data item buffer overflow attempt (file-office.rules)
 * 3:22089 <-> ENABLED <-> FILE-OFFICE Microsoft RTF improper listoverride nesting attempt (file-office.rules)
 * 3:18949 <-> ENABLED <-> FILE-OFFICE PowerPoint malformed RecolorInfoAtom exploit attempt (file-office.rules)
 * 3:18676 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel DV record buffer overflow attempt (file-office.rules)
 * 3:18063 <-> ENABLED <-> FILE-OFFICE Microsoft Office embedded Office Art drawings execution attempt (file-office.rules)
 * 3:17762 <-> ENABLED <-> FILE-OFFICE Microsoft Excel corrupted TABLE record clean up exploit attempt (file-office.rules)
 * 3:17665 <-> ENABLED <-> FILE-OFFICE OpenOffice Word document table parsing multiple heap based buffer overflow attempt (file-office.rules)
 * 3:17251 <-> ENABLED <-> FILE-OFFICE Outlook RTF remote code execution attempt (file-office.rules)
 * 3:16662 <-> ENABLED <-> FILE-OFFICE Microsoft Excel SxView heap overflow attempt (file-office.rules)
 * 3:16230 <-> ENABLED <-> FILE-OFFICE Microsoft Excel oversized ib memory corruption attempt (file-office.rules)
 * 3:16649 <-> ENABLED <-> FILE-OFFICE Microsoft Excel HFPicture record stack buffer overflow attempt (file-office.rules)
 * 3:15521 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel ExternSheet record remote code execution attempt (file-office.rules)
 * 3:15519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BRAI record remote code execution attempt (file-office.rules)
 * 3:15498 <-> ENABLED <-> FILE-OFFICE Microsoft PowerPoint CString atom overflow attempt (file-office.rules)
 * 3:15465 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed object record remote code execution attempt (file-office.rules)
 * 3:15454 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt (file-office.rules)
 * 3:15365 <-> ENABLED <-> FILE-OFFICE Microsoft Excel extrst record arbitrary code excecution attempt (file-office.rules)
 * 3:15298 <-> ENABLED <-> FILE-OFFICE Microsoft Visio could allow remote code execution (file-office.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:15117 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed OBJ record arbitrary code execution attempt (file-office.rules)
 * 3:13969 <-> ENABLED <-> FILE-OFFICE Powerpoint Viewer malformed msoDrawing property table buffer overflow attempt (file-office.rules)
 * 3:14655 <-> ENABLED <-> FILE-OFFICE Excel rept integer underflow attempt (file-office.rules)
 * 3:13958 <-> ENABLED <-> FILE-OFFICE WordPerfect Graphics file invalid RLE buffer overflow attempt (file-office.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13582 <-> ENABLED <-> FILE-OFFICE Microsoft Excel sst record arbitrary code execution attempt (file-office.rules)
 * 3:13469 <-> ENABLED <-> FILE-OFFICE Microsoft Word ole stream memory corruption attempt (file-office.rules)
 * 3:13790 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed css remote code execution attempt (file-office.rules)