Talos Rules 2017-04-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-identify, file-other, file-pdf, indicator-scan, os-solaris, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-04-19 02:01:21 UTC

Snort Subscriber Rules Update

Date: 2017-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42282 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42283 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42288 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42284 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt (protocol-scada.rules)
 * 1:42261 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42259 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42257 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42281 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42258 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42260 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42287 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42262 <-> ENABLED <-> FILE-IDENTIFY ISO file download request (file-identify.rules)
 * 1:42275 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42276 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules)
 * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 3:42290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0316 attack attempt (server-webapp.rules)
 * 3:42277 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42278 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42274 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42273 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)

Modified Rules:


 * 1:41984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)

2017-04-19 02:01:21 UTC

Snort Subscriber Rules Update

Date: 2017-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42258 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42259 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42282 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42281 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42276 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42275 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42283 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42284 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt (protocol-scada.rules)
 * 1:42260 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42287 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42261 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42262 <-> ENABLED <-> FILE-IDENTIFY ISO file download request (file-identify.rules)
 * 1:42288 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42257 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules)
 * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules)
 * 3:42278 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0316 attack attempt (server-webapp.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42273 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42274 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42277 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)

Modified Rules:


 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)

2017-04-19 02:01:21 UTC

Snort Subscriber Rules Update

Date: 2017-04-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42291 <-> DISABLED <-> SERVER-WEBAPP AlienVault OSSIM API get_host_fqdn host_ip command injection attempt (server-webapp.rules)
 * 1:42289 <-> DISABLED <-> INDICATOR-SCAN PHP info leak attempt (indicator-scan.rules)
 * 1:42288 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42287 <-> DISABLED <-> DELETED FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (deleted.rules)
 * 1:42286 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42285 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42284 <-> DISABLED <-> PROTOCOL-SCADA 3S CoDeSys Gateway Server DOS attempt (protocol-scada.rules)
 * 1:42283 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42282 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42281 <-> DISABLED <-> OS-SOLARIS Solaris catflap telnet remote code execution attempt (os-solaris.rules)
 * 1:42280 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42279 <-> DISABLED <-> FILE-OTHER Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt (file-other.rules)
 * 1:42276 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42275 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 pclr tag out of bounds read attempt (file-pdf.rules)
 * 1:42262 <-> ENABLED <-> FILE-IDENTIFY ISO file download request (file-identify.rules)
 * 1:42261 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 1:42260 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42259 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42258 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42257 <-> ENABLED <-> FILE-IDENTIFY ISO file magic detected (file-identify.rules)
 * 3:42278 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42274 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42277 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0317 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42273 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0311 attack attempt (file-pdf.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42290 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0316 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)