Talos Rules 2017-05-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-identify, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-05-17 19:00:26 UTC

Snort Subscriber Rules Update

Date: 2017-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eternalblue variant echo request (malware-cnc.rules)
 * 1:42919 <-> DISABLED <-> FILE-IDENTIFY ISO file attachment with executable detected (file-identify.rules)
 * 1:42917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eternalblue variant echo response (malware-cnc.rules)
 * 1:42922 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SoMachine HVAC ActiveX information disclosure clsid access attempt (browser-plugins.rules)
 * 1:42921 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SoMachine HVAC ActiveX information disclosure clsid access attempt (browser-plugins.rules)
 * 1:42918 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42920 <-> DISABLED <-> SERVER-WEBAPP LogRhythm Network Monitor JSON configuration API command injection attempt (server-webapp.rules)
 * 3:42923 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration ScriptMgr authentication bypass attempt (server-webapp.rules)
 * 3:42924 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration potentially unauthorized log file access detected (policy-other.rules)

Modified Rules:


 * 1:42861 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt (protocol-scada.rules)

2017-05-17 19:00:26 UTC

Snort Subscriber Rules Update

Date: 2017-05-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42922 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SoMachine HVAC ActiveX information disclosure clsid access attempt (browser-plugins.rules)
 * 1:42921 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric SoMachine HVAC ActiveX information disclosure clsid access attempt (browser-plugins.rules)
 * 1:42920 <-> DISABLED <-> SERVER-WEBAPP LogRhythm Network Monitor JSON configuration API command injection attempt (server-webapp.rules)
 * 1:42919 <-> DISABLED <-> FILE-IDENTIFY ISO file attachment with executable detected (file-identify.rules)
 * 1:42918 <-> ENABLED <-> FILE-IDENTIFY ISO file attachment detected (file-identify.rules)
 * 1:42917 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eternalblue variant echo response (malware-cnc.rules)
 * 1:42916 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eternalblue variant echo request (malware-cnc.rules)
 * 3:42923 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration ScriptMgr authentication bypass attempt (server-webapp.rules)
 * 3:42924 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration potentially unauthorized log file access detected (policy-other.rules)

Modified Rules:


 * 1:42861 <-> DISABLED <-> PROTOCOL-SCADA Schneider Modicon TM221CE16R password retrieval attempt (protocol-scada.rules)