Talos Rules 2017-08-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, file-flash, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-08-17 13:38:19 UTC

Snort Subscriber Rules Update

Date: 2017-08-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:43986 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt (protocol-scada.rules)
 * 1:43987 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:44011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hippo variant outbound connection (malware-cnc.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43995 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43982 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43981 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43988 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules)
 * 1:44009 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:44010 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection attempt (malware-cnc.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 3:44012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0411 attack attempt (policy-other.rules)

Modified Rules:


 * 1:21902 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (browser-firefox.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)

2017-08-17 13:38:19 UTC

Snort Subscriber Rules Update

Date: 2017-08-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43995 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43981 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43982 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection attempt (malware-cnc.rules)
 * 1:43986 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt (protocol-scada.rules)
 * 1:43987 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43988 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules)
 * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:44011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hippo variant outbound connection (malware-cnc.rules)
 * 1:44009 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44010 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 3:44012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0411 attack attempt (policy-other.rules)

Modified Rules:


 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (browser-firefox.rules)
 * 1:21902 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)

2017-08-17 13:38:19 UTC

Snort Subscriber Rules Update

Date: 2017-08-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44011 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Hippo variant outbound connection (malware-cnc.rules)
 * 1:44010 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44009 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox empty lookupGetter dangling pointer attempt (browser-firefox.rules)
 * 1:44008 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44007 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44006 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44005 <-> DISABLED <-> SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt (server-webapp.rules)
 * 1:44004 <-> DISABLED <-> POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected (policy-other.rules)
 * 1:44003 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44002 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SMB sandbox bypass attempt (file-flash.rules)
 * 1:44001 <-> DISABLED <-> SERVER-WEBAPP PHP malformed quoted printable denial of service attempt (server-webapp.rules)
 * 1:44000 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43999 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Acrobat Professional EMF malformed brush object attempt (file-multimedia.rules)
 * 1:43998 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43997 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed TrueType font memory corruption attempt (file-pdf.rules)
 * 1:43996 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43995 <-> ENABLED <-> FILE-FLASH Adobe Flash Player overly large cpool index out of bounds read attempt (file-flash.rules)
 * 1:43994 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43993 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43992 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43991 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader graphics engine memory corruption attempt (file-pdf.rules)
 * 1:43990 <-> DISABLED <-> INDICATOR-OBFUSCATION RTF obfuscation string (indicator-obfuscation.rules)
 * 1:43989 <-> DISABLED <-> INDICATOR-OBFUSCATION newlines embedded in rtf header (indicator-obfuscation.rules)
 * 1:43988 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43987 <-> DISABLED <-> SERVER-OTHER Konqueror KDE ftp iframe denial of service attempt (server-other.rules)
 * 1:43986 <-> DISABLED <-> PROTOCOL-SCADA Schneider Electroc ModbusDrv.exe buffer overflow attempt (protocol-scada.rules)
 * 1:43985 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rortiem outbound connection attempt (malware-cnc.rules)
 * 1:43984 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43983 <-> DISABLED <-> FILE-OTHER Adobe Professional JPEG APP1 memory corruption attempt (file-other.rules)
 * 1:43982 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 1:43981 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Femas variant outbound connection (malware-cnc.rules)
 * 3:44012 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0411 attack attempt (policy-other.rules)

Modified Rules:


 * 1:21902 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:43642 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox multiple vulnerabilities memory corruption attempt (browser-firefox.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:32863 <-> ENABLED <-> FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt (file-office.rules)
 * 3:23040 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)
 * 3:23039 <-> ENABLED <-> PROTOCOL-DNS Multiple vendor DNS message decompression denial of service attempt (protocol-dns.rules)