Talos Rules 2017-08-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-office, file-other, malware-backdoor, os-windows, policy-other, server-iis, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-08-01 14:13:21 UTC

Snort Subscriber Rules Update

Date: 2017-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:43797 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43796 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43795 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43794 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43793 <-> DISABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43789 <-> DISABLED <-> SERVER-OTHER Solarwinds Virtualization Manager Java malicious object deserialization attempt (server-other.rules)
 * 1:43791 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules)
 * 1:43792 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules)
 * 1:43775 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules)
 * 1:43776 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules)
 * 1:43777 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules)
 * 1:43778 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt (browser-firefox.rules)
 * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules)
 * 1:43780 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router buffer overflow attempt (server-webapp.rules)
 * 1:43781 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules)
 * 1:43782 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules)
 * 1:43783 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules)
 * 1:43784 <-> DISABLED <-> POLICY-OTHER D-Link DIR-645 router external authentication attempt (policy-other.rules)
 * 1:43798 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43799 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43800 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43801 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43806 <-> DISABLED <-> MALWARE-BACKDOOR HVL Rat inbound command (malware-backdoor.rules)
 * 1:43807 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:43808 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:43809 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt (server-webapp.rules)
 * 1:43810 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules)
 * 1:43811 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules)
 * 1:43812 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules)
 * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43818 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43790 <-> ENABLED <-> SERVER-OTHER Apache mod_auth_digest out of bounds read attempt (server-other.rules)
 * 1:43816 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43817 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43815 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43785 <-> DISABLED <-> POLICY-OTHER Possible Apache Continuum saveInstallation.action command injection vulnerability check (policy-other.rules)
 * 1:43813 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:34299 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:33679 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:33680 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:40889 <-> DISABLED <-> SERVER-WEBAPP Barracuda WAF UPDATE_scan_information_in_use command injection attempt (server-webapp.rules)
 * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:41206 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server index name buffer overflow attempt (server-other.rules)
 * 1:41850 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43444 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:6289 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern client-to-server (malware-backdoor.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)
 * 1:31194 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)

2017-08-01 14:13:21 UTC

Snort Subscriber Rules Update

Date: 2017-08-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43818 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43817 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43816 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43815 <-> DISABLED <-> OS-WINDOWS Microsoft VBScript engine RegExp information disclosure attempt (os-windows.rules)
 * 1:43814 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:43813 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt (server-webapp.rules)
 * 1:43812 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules)
 * 1:43811 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules)
 * 1:43810 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt (server-webapp.rules)
 * 1:43809 <-> DISABLED <-> SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt (server-webapp.rules)
 * 1:43808 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:43807 <-> DISABLED <-> SERVER-IIS Microsoft ASP.NET bad request denial of service attempt (server-iis.rules)
 * 1:43806 <-> DISABLED <-> MALWARE-BACKDOOR HVL Rat inbound command (malware-backdoor.rules)
 * 1:43805 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43804 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43803 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43802 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43801 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43800 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43799 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43798 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43797 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43796 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43795 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43794 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET malicious CFG file (file-other.rules)
 * 1:43793 <-> DISABLED <-> SERVER-WEBAPP Symantec SEPM management console cross site scripting attempt (server-webapp.rules)
 * 1:43792 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules)
 * 1:43791 <-> DISABLED <-> OS-WINDOWS Microsoft .NET framework mscormmc.dll ASLR bypass attempt (os-windows.rules)
 * 1:43790 <-> ENABLED <-> SERVER-OTHER Apache mod_auth_digest out of bounds read attempt (server-other.rules)
 * 1:43789 <-> DISABLED <-> SERVER-OTHER Solarwinds Virtualization Manager Java malicious object deserialization attempt (server-other.rules)
 * 1:43788 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43787 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43786 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:43785 <-> DISABLED <-> POLICY-OTHER Possible Apache Continuum saveInstallation.action command injection vulnerability check (policy-other.rules)
 * 1:43784 <-> DISABLED <-> POLICY-OTHER D-Link DIR-645 router external authentication attempt (policy-other.rules)
 * 1:43783 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules)
 * 1:43782 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules)
 * 1:43781 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router cross site scripting attempt (server-webapp.rules)
 * 1:43780 <-> DISABLED <-> SERVER-WEBAPP D-Link DIR-645 router buffer overflow attempt (server-webapp.rules)
 * 1:43779 <-> DISABLED <-> BROWSER-FIREFOX Mozilla multiple products SharedWorker MessagePort memory corruption attempt (browser-firefox.rules)
 * 1:43778 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox nsTreeContentView double-free memory corruption attempt (browser-firefox.rules)
 * 1:43777 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules)
 * 1:43776 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules)
 * 1:43775 <-> DISABLED <-> SERVER-WEBAPP HP Sitescope EmailServlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:31194 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:33679 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:33680 <-> DISABLED <-> SERVER-OTHER Cisco CNS Network Registrar denial of service attempt (server-other.rules)
 * 1:34299 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpagehide use after free attempt (browser-ie.rules)
 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38889 <-> DISABLED <-> SERVER-ORACLE Oracle Application Test Suite server authentication bypass attempt (server-oracle.rules)
 * 1:40889 <-> DISABLED <-> SERVER-WEBAPP Barracuda WAF UPDATE_scan_information_in_use command injection attempt (server-webapp.rules)
 * 1:40940 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:40941 <-> DISABLED <-> FILE-OFFICE Microsoft Office hyperlink object out of bounds read attempt (file-office.rules)
 * 1:41206 <-> DISABLED <-> SERVER-OTHER Aerospike Database Server index name buffer overflow attempt (server-other.rules)
 * 1:41850 <-> DISABLED <-> SERVER-WEBAPP Apache Struts URL validator denial of service attempt (server-webapp.rules)
 * 1:42197 <-> DISABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:43171 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43172 <-> DISABLED <-> FILE-OFFICE Microsoft Word malformed jpeg remote code execution attempt (file-office.rules)
 * 1:43444 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:6122 <-> DISABLED <-> MALWARE-BACKDOOR millenium v1.0 runtime detection (malware-backdoor.rules)
 * 1:6289 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern client-to-server (malware-backdoor.rules)
 * 1:6290 <-> DISABLED <-> MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client (malware-backdoor.rules)
 * 1:6319 <-> DISABLED <-> MALWARE-BACKDOOR evilftp runtime detection - init connection (malware-backdoor.rules)