Talos Rules 2017-05-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-image, file-office, file-other, file-pdf, malware-cnc, os-windows, protocol-ftp, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-05-16 18:59:08 UTC

Snort Subscriber Rules Update

Date: 2017-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42915 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42914 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42913 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42912 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42911 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42910 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules)
 * 1:42904 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42903 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42902 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules)
 * 1:42900 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection attempt (malware-cnc.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:42897 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules)
 * 1:42896 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules)
 * 1:42895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:42893 <-> DISABLED <-> SERVER-WEBAPP Eaton VURemote denial of service attempt (server-webapp.rules)
 * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection attempt (malware-cnc.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules)
 * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules)
 * 1:42889 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules)
 * 1:42888 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules)
 * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules)
 * 1:42886 <-> ENABLED <-> BLACKLIST User-Agent Win.Trojan.Agent malicious user agent (blacklist.rules)
 * 1:42885 <-> ENABLED <-> MALWARE-CNC WashingTon ssl certificate negotiation attempt (malware-cnc.rules)
 * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules)
 * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules)
 * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection attempt (malware-cnc.rules)
 * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt  (malware-cnc.rules)
 * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt (malware-cnc.rules)
 * 1:42879 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules)
 * 1:42868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules)
 * 1:42867 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules)
 * 1:42866 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules)
 * 1:42865 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RRAS MIBEntryGet buffer overflow attempt (os-windows.rules)
 * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules)
 * 1:42861 <-> ENABLED <-> PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt (protocol-scada.rules)
 * 1:42860 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules)
 * 1:42859 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules)
 * 1:42858 <-> DISABLED <-> SERVER-WEBAPP CVS password disclosure attempt (server-webapp.rules)
 * 1:42857 <-> DISABLED <-> SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt (server-webapp.rules)
 * 1:42856 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42855 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules)
 * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:42806 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules)
 * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules)
 * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:25670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 1:29188 <-> DISABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 3:42141 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42140 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)

2017-05-16 18:59:08 UTC

Snort Subscriber Rules Update

Date: 2017-05-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42901 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules)
 * 1:42899 <-> ENABLED <-> MALWARE-CNC Jaff ransomware outbound connection attempt (malware-cnc.rules)
 * 1:42854 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules)
 * 1:42855 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42856 <-> DISABLED <-> BROWSER-PLUGINS Schneider SoMachine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42857 <-> DISABLED <-> SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt (server-webapp.rules)
 * 1:42858 <-> DISABLED <-> SERVER-WEBAPP CVS password disclosure attempt (server-webapp.rules)
 * 1:42859 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules)
 * 1:42860 <-> ENABLED <-> FILE-PDF Adobe Reader PDF memory corruption attempt (file-pdf.rules)
 * 1:42861 <-> ENABLED <-> PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt (protocol-scada.rules)
 * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules)
 * 1:42863 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42864 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42865 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RRAS MIBEntryGet buffer overflow attempt (os-windows.rules)
 * 1:42866 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules)
 * 1:42868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules)
 * 1:42867 <-> DISABLED <-> SERVER-WEBAPP GE Proficy RT Portal information disclosure attempt (server-webapp.rules)
 * 1:42869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA forms engine use after free attempt (file-pdf.rules)
 * 1:42870 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42871 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42872 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42873 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42874 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42875 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42876 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42877 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document XSLT engine information disclosure exploitation attempt (file-pdf.rules)
 * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:42879 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:42880 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt (malware-cnc.rules)
 * 1:42881 <-> ENABLED <-> MALWARE-CNC Deputy Dog implant outbound connection attempt  (malware-cnc.rules)
 * 1:42882 <-> ENABLED <-> MALWARE-CNC ZoxPNG initial outbound connection attempt (malware-cnc.rules)
 * 1:42883 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules)
 * 1:42884 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt (malware-cnc.rules)
 * 1:42885 <-> ENABLED <-> MALWARE-CNC WashingTon ssl certificate negotiation attempt (malware-cnc.rules)
 * 1:42886 <-> ENABLED <-> BLACKLIST User-Agent Win.Trojan.Agent malicious user agent (blacklist.rules)
 * 1:42887 <-> ENABLED <-> SERVER-OTHER ntpq flagstr buffer overflow attempt (server-other.rules)
 * 1:42888 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules)
 * 1:42889 <-> DISABLED <-> FILE-PDF Adobe Acrobat JP2 parser information disclosure attempt (file-pdf.rules)
 * 1:42890 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules)
 * 1:42891 <-> ENABLED <-> FILE-OTHER AfterMidnight post exploitation tool aftermidnight.dll dll-load exploit attempt (file-other.rules)
 * 1:42892 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA outbound connection attempt (malware-cnc.rules)
 * 1:42893 <-> DISABLED <-> SERVER-WEBAPP Eaton VURemote denial of service attempt (server-webapp.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:42895 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:42896 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules)
 * 1:42897 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader CTJPEGWriter null pointer dereference attempt (file-pdf.rules)
 * 1:42898 <-> DISABLED <-> SERVER-WEBAPP Eaton Network Shutdown Module remote code execution attempt (server-webapp.rules)
 * 1:42915 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42914 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42913 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42912 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42911 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42910 <-> ENABLED <-> FILE-PDF Acrobat Reader TIFF malformed IFD tag heap overflow attempt (file-pdf.rules)
 * 1:42909 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42908 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42907 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42853 <-> DISABLED <-> SERVER-WEBAPP Serviio Media Server checkStreamUrl command injection attempt (server-webapp.rules)
 * 1:42906 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:42905 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS file containing embedded PE (file-office.rules)
 * 1:42904 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42903 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42902 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)
 * 1:42900 <-> ENABLED <-> FILE-OFFICE Microsoft Office EPS restore command use after free attempt (file-office.rules)

Modified Rules:


 * 1:42806 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules)
 * 1:42841 <-> ENABLED <-> BLACKLIST suspicious .bit tcp dns query (blacklist.rules)
 * 1:42404 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:42405 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:32494 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:42403 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Threat Discovery Appliance cache_id command injection attempt (server-webapp.rules)
 * 1:29188 <-> DISABLED <-> EXPLOIT-KIT Magnitude exploit kit embedded open type font file request (exploit-kit.rules)
 * 1:32493 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection (malware-cnc.rules)
 * 1:17410 <-> DISABLED <-> OS-WINDOWS Generic HyperLink buffer overflow attempt (os-windows.rules)
 * 1:25670 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Swisyn variant outbound connection (malware-cnc.rules)
 * 3:42141 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)
 * 3:42140 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2016-0244 attack attempt (file-image.rules)