Talos Rules 2017-04-13
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-04-13 21:02:30 UTC

Snort Subscriber Rules Update

Date: 2017-04-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42238 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42236 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42237 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42234 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS authLogin.cgi command injection attempt (server-webapp.rules)
 * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules)
 * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules)
 * 1:42223 <-> ENABLED <-> FILE-IDENTIFY AOP file download request (file-identify.rules)
 * 1:42242 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Dimnie file download attempt (malware-cnc.rules)
 * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules)
 * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules)
 * 1:42224 <-> DISABLED <-> SERVER-OTHER Moxa MX-AOPC XML external entity injection attempt (server-other.rules)
 * 1:42229 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules)
 * 1:42230 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules)
 * 1:42228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DocumentCrypt variant outbound connection (malware-cnc.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42241 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection attempt (malware-cnc.rules)
 * 1:42222 <-> ENABLED <-> SERVER-WEBAPP Moxa MX Studio login page denial of service attempt (server-webapp.rules)
 * 1:42226 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:42231 <-> DISABLED <-> FILE-OFFICE RTF url moniker COM file download attempt (file-office.rules)
 * 1:42240 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42221 <-> ENABLED <-> SERVER-WEBAPP Moxa private key disclosure attempt (server-webapp.rules)
 * 1:42239 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 3:42246 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42247 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42245 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42244 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:117 <-> DISABLED <-> MALWARE-BACKDOOR Infector.1.x (malware-backdoor.rules)
 * 3:35832 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)
 * 3:35833 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)

2017-04-13 21:02:30 UTC

Snort Subscriber Rules Update

Date: 2017-04-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42239 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42237 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42221 <-> ENABLED <-> SERVER-WEBAPP Moxa private key disclosure attempt (server-webapp.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42226 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:42229 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules)
 * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules)
 * 1:42228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DocumentCrypt variant outbound connection (malware-cnc.rules)
 * 1:42230 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules)
 * 1:42231 <-> DISABLED <-> FILE-OFFICE RTF url moniker COM file download attempt (file-office.rules)
 * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules)
 * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules)
 * 1:42234 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS authLogin.cgi command injection attempt (server-webapp.rules)
 * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules)
 * 1:42224 <-> DISABLED <-> SERVER-OTHER Moxa MX-AOPC XML external entity injection attempt (server-other.rules)
 * 1:42236 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection attempt (malware-cnc.rules)
 * 1:42242 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Dimnie file download attempt (malware-cnc.rules)
 * 1:42241 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42223 <-> ENABLED <-> FILE-IDENTIFY AOP file download request (file-identify.rules)
 * 1:42222 <-> ENABLED <-> SERVER-WEBAPP Moxa MX Studio login page denial of service attempt (server-webapp.rules)
 * 1:42240 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42238 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 3:42247 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42245 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42246 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42244 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:117 <-> DISABLED <-> MALWARE-BACKDOOR Infector.1.x (malware-backdoor.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)
 * 3:35833 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules)
 * 3:35832 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)

2017-04-13 21:02:30 UTC

Snort Subscriber Rules Update

Date: 2017-04-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42243 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dimnie outbound connection attempt (malware-cnc.rules)
 * 1:42242 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Dimnie file download attempt (malware-cnc.rules)
 * 1:42241 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42240 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42239 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS utilRequest.cgi command injection attempt (server-webapp.rules)
 * 1:42238 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42237 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42236 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS userConfig.cgi command injection attempt (server-webapp.rules)
 * 1:42235 <-> DISABLED <-> SERVER-OTHER NTP malformed config request denial of service attempt (server-other.rules)
 * 1:42234 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS authLogin.cgi command injection attempt (server-webapp.rules)
 * 1:42233 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mikcer variant outbound connection attempt (malware-cnc.rules)
 * 1:42232 <-> ENABLED <-> SERVER-OTHER TopSec Firewall cookie header command injection attempt (server-other.rules)
 * 1:42231 <-> DISABLED <-> FILE-OFFICE RTF url moniker COM file download attempt (file-office.rules)
 * 1:42230 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules)
 * 1:42229 <-> DISABLED <-> INDICATOR-COMPROMISE RTF url moniker COM file download attempt (indicator-compromise.rules)
 * 1:42228 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DocumentCrypt variant outbound connection (malware-cnc.rules)
 * 1:42227 <-> DISABLED <-> SERVER-OTHER NTP Config Unpeer denial of service attempt (server-other.rules)
 * 1:42226 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:42225 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RedLeaves outbound connection attempt (malware-cnc.rules)
 * 1:42224 <-> DISABLED <-> SERVER-OTHER Moxa MX-AOPC XML external entity injection attempt (server-other.rules)
 * 1:42223 <-> ENABLED <-> FILE-IDENTIFY AOP file download request (file-identify.rules)
 * 1:42222 <-> ENABLED <-> SERVER-WEBAPP Moxa MX Studio login page denial of service attempt (server-webapp.rules)
 * 1:42221 <-> ENABLED <-> SERVER-WEBAPP Moxa private key disclosure attempt (server-webapp.rules)
 * 3:42245 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42247 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42246 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)
 * 3:42244 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0315 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:117 <-> DISABLED <-> MALWARE-BACKDOOR Infector.1.x (malware-backdoor.rules)
 * 3:41511 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)
 * 3:35832 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules)
 * 3:35833 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0320 attack attempt (file-other.rules)
 * 3:41512 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0279 attack attempt (file-office.rules)