Talos Rules 2017-09-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-office, file-other, indicator-compromise, malware-cnc, protocol-dns, pua-adware, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-09-21 15:36:37 UTC

Snort Subscriber Rules Update

Date: 2017-09-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44418 <-> DISABLED <-> SERVER-OTHER Tipping Point IPS reverse DNS lookup format string exploit attempt (server-other.rules)
 * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44401 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44400 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44399 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound communication (malware-cnc.rules)
 * 1:44395 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules)
 * 1:44394 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules)
 * 1:44393 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44392 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44390 <-> DISABLED <-> SERVER-WEBAPP PHP form-based file upload DoS attempt (server-webapp.rules)
 * 1:44389 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules)
 * 1:44388 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules)
 * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules)
 * 1:44382 <-> DISABLED <-> SERVER-OTHER D-Link router remote reboot attempt (server-other.rules)
 * 3:44379 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS ipnat_dns_shift_data integer underflow attempt (protocol-dns.rules)
 * 3:44380 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0450 attack attempt (server-webapp.rules)
 * 3:44381 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0449 attack attempt (server-webapp.rules)
 * 3:44397 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules)
 * 3:44398 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules)
 * 3:44417 <-> ENABLED <-> SERVER-WEBAPP Cisco Customer Voice Portal MyAccountEditAction.do privilege escalation attempt (server-webapp.rules)

Modified Rules:


 * 1:44327 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)

2017-09-21 15:36:37 UTC

Snort Subscriber Rules Update

Date: 2017-09-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44394 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules)
 * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules)
 * 1:44388 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules)
 * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44389 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules)
 * 1:44390 <-> DISABLED <-> SERVER-WEBAPP PHP form-based file upload DoS attempt (server-webapp.rules)
 * 1:44391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44392 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44393 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44395 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules)
 * 1:44382 <-> DISABLED <-> SERVER-OTHER D-Link router remote reboot attempt (server-other.rules)
 * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound communication (malware-cnc.rules)
 * 1:44399 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44400 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44401 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44418 <-> DISABLED <-> SERVER-OTHER Tipping Point IPS reverse DNS lookup format string exploit attempt (server-other.rules)
 * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 3:44379 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS ipnat_dns_shift_data integer underflow attempt (protocol-dns.rules)
 * 3:44397 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules)
 * 3:44417 <-> ENABLED <-> SERVER-WEBAPP Cisco Customer Voice Portal MyAccountEditAction.do privilege escalation attempt (server-webapp.rules)
 * 3:44398 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules)
 * 3:44381 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0449 attack attempt (server-webapp.rules)
 * 3:44380 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0450 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:44327 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)

2017-09-21 15:36:37 UTC

Snort Subscriber Rules Update

Date: 2017-09-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44409 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44387 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44384 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44412 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44385 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44418 <-> DISABLED <-> SERVER-OTHER Tipping Point IPS reverse DNS lookup format string exploit attempt (server-other.rules)
 * 1:44386 <-> DISABLED <-> SERVER-WEBAPP D-Link router stack based buffer overflow attempt (server-webapp.rules)
 * 1:44413 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44416 <-> DISABLED <-> INDICATOR-COMPROMISE png file attachment without matching file magic (indicator-compromise.rules)
 * 1:44383 <-> DISABLED <-> SERVER-WEBAPP D-Link router firmware update attempt (server-webapp.rules)
 * 1:44391 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44415 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44388 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules)
 * 1:44389 <-> DISABLED <-> SERVER-WEBAPP D-Link router information disclosure attempt (server-webapp.rules)
 * 1:44390 <-> DISABLED <-> SERVER-WEBAPP PHP form-based file upload DoS attempt (server-webapp.rules)
 * 1:44392 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44393 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:44394 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules)
 * 1:44395 <-> DISABLED <-> PUA-ADWARE Win.Adware.Techsnab variant outbound connection detected (pua-adware.rules)
 * 1:44396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.KediRAT outbound communication (malware-cnc.rules)
 * 1:44399 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44400 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44401 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange (malware-cnc.rules)
 * 1:44403 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44404 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44405 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44407 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44408 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44406 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44414 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44410 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44411 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt (malware-cnc.rules)
 * 1:44382 <-> DISABLED <-> SERVER-OTHER D-Link router remote reboot attempt (server-other.rules)
 * 3:44381 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0449 attack attempt (server-webapp.rules)
 * 3:44397 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules)
 * 3:44379 <-> ENABLED <-> PROTOCOL-DNS Cisco IOS ipnat_dns_shift_data integer underflow attempt (protocol-dns.rules)
 * 3:44417 <-> ENABLED <-> SERVER-WEBAPP Cisco Customer Voice Portal MyAccountEditAction.do privilege escalation attempt (server-webapp.rules)
 * 3:44398 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0453 attack attempt (file-other.rules)
 * 3:44380 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0450 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:44327 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 1:43159 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:43160 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2016 use after free attempt (file-office.rules)
 * 1:44328 <-> DISABLED <-> SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt (server-apache.rules)
 * 3:44287 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)
 * 3:44288 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0433 attack attempt (file-other.rules)