Talos Rules 2017-09-08
Talos is aware of a vulnerability affecting Apache Struts.

CVE-2017-12611: A coding deficiency exists in Apache Struts that may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 44327 through 44330.

Talos also has added and modified multiple rules in the file-executable, file-other, malware-cnc, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-09-08 22:49:15 UTC

Snort Subscriber Rules Update

Date: 2017-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44330 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44329 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44328 <-> ENABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44327 <-> ENABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:44325 <-> DISABLED <-> FILE-OTHER ZIP file malformed header antivirus evasion attempt (file-other.rules)
 * 1:44324 <-> DISABLED <-> POLICY-OTHER vsFTPd denial of service attempt (policy-other.rules)
 * 1:44323 <-> DISABLED <-> FILE-OTHER RAR file malformed header antivirus evasion attempt (file-other.rules)
 * 1:44322 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules)
 * 1:44321 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:39463 <-> DISABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:39464 <-> DISABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:41923 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)

2017-09-08 22:49:15 UTC

Snort Subscriber Rules Update

Date: 2017-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44328 <-> ENABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44329 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44321 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules)
 * 1:44322 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules)
 * 1:44323 <-> DISABLED <-> FILE-OTHER RAR file malformed header antivirus evasion attempt (file-other.rules)
 * 1:44324 <-> DISABLED <-> POLICY-OTHER vsFTPd denial of service attempt (policy-other.rules)
 * 1:44325 <-> DISABLED <-> FILE-OTHER ZIP file malformed header antivirus evasion attempt (file-other.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:44327 <-> ENABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44330 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)

Modified Rules:


 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:39464 <-> DISABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:41923 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39463 <-> DISABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)

2017-09-08 22:49:15 UTC

Snort Subscriber Rules Update

Date: 2017-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44325 <-> DISABLED <-> FILE-OTHER ZIP file malformed header antivirus evasion attempt (file-other.rules)
 * 1:44329 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44327 <-> ENABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44330 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:44326 <-> DISABLED <-> SERVER-OTHER Novell iPrint Client buffer overflow attempt (server-other.rules)
 * 1:44324 <-> DISABLED <-> POLICY-OTHER vsFTPd denial of service attempt (policy-other.rules)
 * 1:44322 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules)
 * 1:44323 <-> DISABLED <-> FILE-OTHER RAR file malformed header antivirus evasion attempt (file-other.rules)
 * 1:44321 <-> DISABLED <-> SERVER-WEBAPP NEC Express Cluster DeleteWorkDirectory.js command injection attempt (server-webapp.rules)
 * 1:44328 <-> ENABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)

Modified Rules:


 * 1:44108 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:39464 <-> DISABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:41923 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:44279 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection (malware-cnc.rules)
 * 1:39463 <-> DISABLED <-> FILE-EXECUTABLE McAfee LiveSafe malformed executable denial of service attempt (file-executable.rules)
 * 1:44109 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:44114 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44115 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44113 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)
 * 1:44112 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF file TIFF image size memory corruption attempt (file-other.rules)