Talos Rules 2017-09-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-09-06 00:02:04 UTC

Snort Subscriber Rules Update

Date: 2017-09-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:44278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrystalAttack outbound file download attempt (malware-cnc.rules)
 * 1:44276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44280 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt (file-office.rules)
 * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules)
 * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44231 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word doc file attachment detected (file-identify.rules)
 * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44283 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44284 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44285 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected  (deleted.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:44289 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44291 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44292 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44293 <-> DISABLED <-> SERVER-OTHER FreeRADIUS data2vp_wimax out of bounds write attempt (server-other.rules)
 * 1:44296 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44275 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:44236 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 3:44250 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44247 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44256 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44297 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0435 attack attempt (server-webapp.rules)
 * 3:44273 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44272 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44271 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44268 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0437 attack attempt (policy-other.rules)
 * 3:44266 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44265 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44245 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44246 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44243 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44244 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44239 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44240 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44238 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44237 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44255 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44264 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44257 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44261 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44262 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44253 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44295 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44258 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44259 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44260 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44263 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44274 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44254 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44267 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0436 attack attempt (policy-other.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44249 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44252 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44251 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44248 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:23115 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt (server-mysql.rules)
 * 1:33110 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33109 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33106 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode (exploit-kit.rules)
 * 1:33112 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33107 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:33108 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33105 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33111 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)

2017-09-06 00:02:04 UTC

Snort Subscriber Rules Update

Date: 2017-09-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules)
 * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44231 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word doc file attachment detected (file-identify.rules)
 * 1:44278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrystalAttack outbound file download attempt (malware-cnc.rules)
 * 1:44236 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:44275 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:44276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:44280 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt (file-office.rules)
 * 1:44281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44283 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44284 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44285 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected  (deleted.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:44289 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44291 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44296 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44292 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44293 <-> DISABLED <-> SERVER-OTHER FreeRADIUS data2vp_wimax out of bounds write attempt (server-other.rules)
 * 1:44277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 3:44250 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44273 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44262 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44263 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44261 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44267 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0436 attack attempt (policy-other.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44256 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44257 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44254 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44253 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44237 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44258 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44238 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44239 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44240 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44274 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44295 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44259 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44243 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44260 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44244 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44246 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44247 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44245 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44264 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44265 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44266 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44255 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44268 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0437 attack attempt (policy-other.rules)
 * 3:44297 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0435 attack attempt (server-webapp.rules)
 * 3:44269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44251 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44252 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44271 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44272 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44249 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44248 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)

Modified Rules:


 * 1:33105 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33110 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33111 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23115 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt (server-mysql.rules)
 * 1:33108 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:33112 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33109 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode (exploit-kit.rules)
 * 1:33107 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33106 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)

2017-09-06 00:02:04 UTC

Snort Subscriber Rules Update

Date: 2017-09-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44296 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44293 <-> DISABLED <-> SERVER-OTHER FreeRADIUS data2vp_wimax out of bounds write attempt (server-other.rules)
 * 1:44292 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF8 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44291 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BIFF5 formulas from records parsing code execution attempt (file-office.rules)
 * 1:44290 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44289 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel sheet object type confusion exploit attempt (file-office.rules)
 * 1:44286 <-> DISABLED <-> FILE-IMAGE Real-DRAW PRO malformed PNG denial of service attempt (file-image.rules)
 * 1:44285 <-> DISABLED <-> DELETED FILE-IDENTIFY Microsoft Office Word file attachment detected  (deleted.rules)
 * 1:44284 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44283 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44282 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44281 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MDAC ActiveX clsid access attempt (browser-ie.rules)
 * 1:44280 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint invalid TextByteAtom remote code execution attempt (file-office.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:44278 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrystalAttack outbound file download attempt (malware-cnc.rules)
 * 1:44277 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt (malware-cnc.rules)
 * 1:44275 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Excel file attachment detected (file-identify.rules)
 * 1:44236 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:44235 <-> ENABLED <-> INDICATOR-OBFUSCATION FOPO obfuscated PHP file upload attempt (indicator-obfuscation.rules)
 * 1:44234 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44233 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44232 <-> DISABLED <-> SERVER-WEBAPP Western Digital Dropbox App dropbox.php command injection attempt (server-webapp.rules)
 * 1:44231 <-> ENABLED <-> FILE-IDENTIFY Microsoft Office Word doc file attachment detected (file-identify.rules)
 * 3:44297 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0435 attack attempt (server-webapp.rules)
 * 3:44295 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44294 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0432 attack attempt (file-pdf.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44274 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44273 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0431 attack attempt (file-office.rules)
 * 3:44272 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44271 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0430 attack attempt (file-office.rules)
 * 3:44270 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44269 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0434 attack attempt (file-other.rules)
 * 3:44268 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0437 attack attempt (policy-other.rules)
 * 3:44267 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0436 attack attempt (policy-other.rules)
 * 3:44266 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44265 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0413 attack attempt (file-multimedia.rules)
 * 3:44264 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44263 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44262 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44261 <-> ENABLED <-> FILE-MULTIMEDIA TRUFFLEHUNTER TALOS-2017-0414 attack attempt (file-multimedia.rules)
 * 3:44260 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44259 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44258 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44257 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44237 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44238 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44256 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44239 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44240 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44255 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44243 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44244 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0410 attack attempt (file-image.rules)
 * 3:44245 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44246 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44253 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44247 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)
 * 3:44254 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0415 attack attempt (file-other.rules)
 * 3:44252 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44251 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0408 attack attempt (file-image.rules)
 * 3:44250 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44249 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0411 attack attempt (file-image.rules)
 * 3:44248 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0409 attack attempt (file-image.rules)

Modified Rules:


 * 1:23115 <-> DISABLED <-> SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt (server-mysql.rules)
 * 1:33105 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33106 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33107 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33108 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scanner.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33109 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33110 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33111 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33112 <-> DISABLED <-> BROWSER-PLUGINS Honeywell OPOS Suite Scale.ocx ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40494 <-> ENABLED <-> SERVER-WEBAPP Wordpress Symposium arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:43932 <-> ENABLED <-> EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode (exploit-kit.rules)