Talos Rules 2017-07-20
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-executable, file-identify, file-office, file-other, malware-cnc, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-07-20 13:55:45 UTC

Snort Subscriber Rules Update

Date: 2017-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43615 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules)
 * 1:43612 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:43610 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules)
 * 1:43611 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules)
 * 1:43609 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:43622 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer GDI VML gradient size heap overflow attempt (browser-ie.rules)
 * 1:43621 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules)
 * 1:43620 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules)
 * 1:43616 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43614 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:43617 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43608 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:43624 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt (file-other.rules)
 * 1:43613 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:43607 <-> DISABLED <-> BROWSER-PLUGINS HP Photo Creative ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43625 <-> ENABLED <-> SERVER-WEBAPP Axis M3004 remote code execution attempt (server-webapp.rules)
 * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:43603 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules)
 * 1:43604 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules)
 * 1:43626 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules)
 * 1:43601 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43600 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules)
 * 1:43627 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (malware-cnc.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43632 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules)
 * 1:43633 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules)
 * 1:43635 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:43634 <-> DISABLED <-> SERVER-WEBAPP Zenoss call home remote code execution attempt (server-webapp.rules)
 * 1:43636 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:43637 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server cross site scripting attempt (server-webapp.rules)
 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43639 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43623 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt (file-other.rules)
 * 1:43619 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43644 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt (browser-firefox.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox css frame constructor memory corruption attempt (browser-firefox.rules)
 * 1:43641 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43618 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43643 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt (browser-firefox.rules)
 * 3:43630 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
 * 3:43631 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
 * 3:43628 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
 * 3:43629 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:16721 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules)
 * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules)
 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:29646 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:29168 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:29169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:25658 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules)
 * 1:2655 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin ExecuteFile admin access (server-other.rules)
 * 1:2549 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin file write attempt (server-other.rules)
 * 1:25657 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules)
 * 1:2547 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin remote file upload attempt (server-other.rules)
 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access (server-other.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:23939 <-> DISABLED <-> SERVER-ORACLE Oracle Business Transaction Management FlashTunnelService directory traversal attempt (server-oracle.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:20054 <-> DISABLED <-> SERVER-OTHER HP OpenView Network Node Manager denial of service attempt (server-other.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:18188 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt (browser-firefox.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)

2017-07-20 13:55:45 UTC

Snort Subscriber Rules Update

Date: 2017-07-20

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43644 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox display moz-deck style memory corruption attempt (browser-firefox.rules)
 * 1:43643 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox design mode deleted style memory corruption attempt (browser-firefox.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox css frame constructor memory corruption attempt (browser-firefox.rules)
 * 1:43641 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43639 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Excel null pointer dereference attempt (file-office.rules)
 * 1:43637 <-> DISABLED <-> SERVER-WEBAPP SAP Internet Transaction Server cross site scripting attempt (server-webapp.rules)
 * 1:43636 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:43635 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:43634 <-> DISABLED <-> SERVER-WEBAPP Zenoss call home remote code execution attempt (server-webapp.rules)
 * 1:43633 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules)
 * 1:43632 <-> DISABLED <-> FILE-EXECUTABLE SandboxEscaper WER download attempt (file-executable.rules)
 * 1:43627 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules)
 * 1:43626 <-> DISABLED <-> FILE-OTHER Schneider Electric MaxStream Configuration X-CTU code execution attempt (file-other.rules)
 * 1:43625 <-> ENABLED <-> SERVER-WEBAPP Axis M3004 remote code execution attempt (server-webapp.rules)
 * 1:43624 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file InformixServerList processing stack buffer overflow attempt (file-other.rules)
 * 1:43623 <-> DISABLED <-> FILE-OTHER IBM Informix Client SDK NFX file HostList processing stack buffer overflow attempt (file-other.rules)
 * 1:43622 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer GDI VML gradient size heap overflow attempt (browser-ie.rules)
 * 1:43621 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules)
 * 1:43620 <-> DISABLED <-> SERVER-OTHER Real Networks Helix Server RTSP denial of service attempt (server-other.rules)
 * 1:43619 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43618 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43617 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43616 <-> DISABLED <-> SERVER-WEBAPP E-Mail Security Virtual Appliance command injection attempt (server-webapp.rules)
 * 1:43615 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules)
 * 1:43614 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:43613 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:43612 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:43611 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules)
 * 1:43610 <-> DISABLED <-> SERVER-OTHER Piwigo LocalFiles editor cross-site request forgery attempt (server-other.rules)
 * 1:43609 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:43608 <-> DISABLED <-> FILE-OTHER ImageMagick SGI ZSIZE header information overflow attempt (file-other.rules)
 * 1:43607 <-> DISABLED <-> BROWSER-PLUGINS HP Photo Creative ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43606 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:43605 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:43604 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules)
 * 1:43603 <-> DISABLED <-> FILE-OTHER Schneider Electric ClearSCADA malicious OPF file (file-other.rules)
 * 1:43602 <-> DISABLED <-> SERVER-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (server-other.rules)
 * 1:43601 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules)
 * 1:43600 <-> DISABLED <-> FILE-OTHER Wireshark ENTTEC DMX RLE buffer overflow attempt (file-other.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43597 <-> DISABLED <-> MALWARE-CNC Win.Trojan.BlackEnergy outbound communication (malware-cnc.rules)
 * 3:43631 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
 * 3:43629 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
 * 3:43630 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)
 * 3:43628 <-> ENABLED <-> SERVER-WEBAPP Cisco Web Security Appliance https_proxy command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:7981 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:43523 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Donvibs variant outbound connection attempt (malware-cnc.rules)
 * 1:33644 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:33643 <-> DISABLED <-> FILE-OTHER Apple Motion OZDocumentparseElement Integer Overflow attempt (file-other.rules)
 * 1:29169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:29646 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:29168 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer EUC-JP encoding cross site scripting attempt (browser-ie.rules)
 * 1:27792 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:27791 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27789 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:27790 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:25658 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules)
 * 1:2655 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin ExecuteFile admin access (server-other.rules)
 * 1:2549 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin file write attempt (server-other.rules)
 * 1:25657 <-> DISABLED <-> SERVER-OTHER HP Data Protector Media Operations directory traversal attempt (server-other.rules)
 * 1:2547 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin remote file upload attempt (server-other.rules)
 * 1:2548 <-> DISABLED <-> SERVER-OTHER HP Web JetAdmin setinfo access (server-other.rules)
 * 1:23939 <-> DISABLED <-> SERVER-ORACLE Oracle Business Transaction Management FlashTunnelService directory traversal attempt (server-oracle.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:13903 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13905 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX function call access attempt (browser-plugins.rules)
 * 1:13907 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Access Snapshot Viewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16721 <-> DISABLED <-> FILE-OTHER Orbital Viewer .orb stack buffer overflow attempt (file-other.rules)
 * 1:18188 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser marquee tag denial of service attempt (browser-firefox.rules)
 * 1:19471 <-> DISABLED <-> POLICY-OTHER dnstunnel v0.5 outbound traffic detected (policy-other.rules)
 * 1:20054 <-> DISABLED <-> SERVER-OTHER HP OpenView Network Node Manager denial of service attempt (server-other.rules)