Talos Rules 2017-06-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, exploit-kit, file-image, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, os-windows, protocol-scada, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-06-20 15:11:28 UTC

Snort Subscriber Rules Update

Date: 2017-06-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43210 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43209 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43208 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules)
 * 1:43196 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules)
 * 1:43195 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules)
 * 1:43201 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules)
 * 1:43202 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules)
 * 1:43205 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43204 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules)
 * 1:43207 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules)
 * 1:43199 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules)
 * 1:43198 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules)
 * 1:43203 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules)
 * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules)
 * 1:43217 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit redirection attempt (exploit-kit.rules)
 * 1:43218 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules)
 * 1:43219 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules)
 * 1:43220 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Hotbar (blacklist.rules)
 * 1:43221 <-> ENABLED <-> MALWARE-OTHER Win.Trojan-Downloader.Jadtree GET request of RAR file to server (malware-other.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
 * 1:43229 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43197 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules)
 * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules)
 * 1:43236 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43235 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43206 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43234 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43232 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43231 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43233 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43230 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43200 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules)
 * 3:43211 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0365 attack attempt (server-other.rules)
 * 3:43214 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules)
 * 3:43215 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules)
 * 3:43212 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules)
 * 3:43213 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules)
 * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules)
 * 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules)
 * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules)
 * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules)
 * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules)
 * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules)
 * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules)
 * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules)
 * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules)
 * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)

2017-06-20 15:11:28 UTC

Snort Subscriber Rules Update

Date: 2017-06-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt (server-webapp.rules)
 * 1:43236 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43235 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43234 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43233 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43232 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43231 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43230 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43229 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Director Shockwave 3D buffer overflow attempt (file-other.rules)
 * 1:43228 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force on denial of service attempt (protocol-scada.rules)
 * 1:43227 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 force off denial of service attempt (protocol-scada.rules)
 * 1:43226 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:43225 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework CLI loader denial of service attempt (os-windows.rules)
 * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:43221 <-> ENABLED <-> MALWARE-OTHER Win.Trojan-Downloader.Jadtree GET request of RAR file to server (malware-other.rules)
 * 1:43220 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Hotbar (blacklist.rules)
 * 1:43219 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules)
 * 1:43218 <-> DISABLED <-> PUA-ADWARE Win.Adware.Hotbar variant outbound connection (pua-adware.rules)
 * 1:43217 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit redirection attempt (exploit-kit.rules)
 * 1:43216 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP payload not fully gzip compressed attempt (indicator-obfuscation.rules)
 * 1:43210 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43209 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler XiotechMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43208 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules)
 * 1:43207 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler UserDefinedFieldConfigServlet SQL injection attempt (server-webapp.rules)
 * 1:43206 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43205 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler QuantumMonitorServlet SQL injection attempt (server-webapp.rules)
 * 1:43204 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules)
 * 1:43203 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ProcessesServlet SQL injection attempt (server-webapp.rules)
 * 1:43202 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules)
 * 1:43201 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler NbuErrorMessageServlet SQL injection attempt (server-webapp.rules)
 * 1:43200 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules)
 * 1:43199 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler HostStorageServlet SQL injection attempt (server-webapp.rules)
 * 1:43198 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules)
 * 1:43197 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler FileActionAssignmentServlet SQL injection attempt (server-webapp.rules)
 * 1:43196 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules)
 * 1:43195 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupAssociationServlet SQL injection attempt (server-webapp.rules)
 * 3:43211 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0365 attack attempt (server-other.rules)
 * 3:43212 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules)
 * 3:43213 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0367 attack attempt (file-pdf.rules)
 * 3:43214 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules)
 * 3:43215 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0366 attack attempt (file-image.rules)

Modified Rules:


 * 1:39334 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules)
 * 1:39332 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:39331 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BackupExceptionsServlet SQL injection attempt (server-webapp.rules)
 * 1:39336 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules)
 * 1:39337 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler BexDriveUsageSummaryServlet SQL injection attempt (server-webapp.rules)
 * 1:39338 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules)
 * 1:39339 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules)
 * 1:39340 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler WindowsEventLogsServlet SQL injection attempt (server-webapp.rules)
 * 1:41038 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA testConfiguration command injection attempt (server-webapp.rules)
 * 1:39333 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler DuplicateFilesServlet SQL injection attempt (server-webapp.rules)
 * 1:39335 <-> ENABLED <-> SERVER-WEBAPP SolarWinds SRM Profiler ScriptServlet SQL injection attempt (server-webapp.rules)
 * 3:42270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42271 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42272 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42265 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42263 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42264 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42267 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42266 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)
 * 3:42268 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0318 attack attempt (file-other.rules)