Talos Rules 2017-09-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-identify, file-image, file-office, file-other, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-09-26 13:29:08 UTC

Snort Subscriber Rules Update

Date: 2017-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Popureb variant outbound connection detected (malware-cnc.rules)
 * 1:44450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat variant outbount connection detected (malware-cnc.rules)
 * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44441 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44439 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44440 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Poison (blacklist.rules)
 * 1:44442 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44438 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules)
 * 3:44444 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44446 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44419 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0445 attack attempt (protocol-scada.rules)
 * 3:44426 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44427 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44421 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44449 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44425 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44422 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44423 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0444 attack attempt (policy-other.rules)
 * 3:44420 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0440 attack attempt (protocol-scada.rules)
 * 3:44424 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44429 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44445 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44428 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)

Modified Rules:


 * 3:44318 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)
 * 3:44319 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)

2017-09-26 13:29:08 UTC

Snort Subscriber Rules Update

Date: 2017-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Popureb variant outbound connection detected (malware-cnc.rules)
 * 1:44450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat variant outbount connection detected (malware-cnc.rules)
 * 1:44441 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44442 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44439 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44440 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Poison (blacklist.rules)
 * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44438 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules)
 * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 3:44419 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0445 attack attempt (protocol-scada.rules)
 * 3:44420 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0440 attack attempt (protocol-scada.rules)
 * 3:44421 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44422 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44423 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0444 attack attempt (policy-other.rules)
 * 3:44444 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44427 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44445 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44424 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44425 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44446 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44449 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44426 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44428 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44429 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)

Modified Rules:


 * 3:44318 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)
 * 3:44319 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)

2017-09-26 13:29:08 UTC

Snort Subscriber Rules Update

Date: 2017-09-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44450 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Buterat variant outbount connection detected (malware-cnc.rules)
 * 1:44443 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Popureb variant outbound connection detected (malware-cnc.rules)
 * 1:44442 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44441 <-> ENABLED <-> FILE-IDENTIFY Blender blend file magic detected (file-identify.rules)
 * 1:44440 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Poison (blacklist.rules)
 * 1:44439 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44438 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected (malware-cnc.rules)
 * 1:44437 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44436 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF tail.php command injection attempt (server-webapp.rules)
 * 1:44435 <-> DISABLED <-> SERVER-WEBAPP DenyAll WAF authentication token disclosure attempt (server-webapp.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:44433 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44432 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44431 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 1:44430 <-> ENABLED <-> FILE-OFFICE Fin7 Maldoc campaign exploitation attempt  (file-office.rules)
 * 3:44427 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44451 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt (file-image.rules)
 * 3:44449 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0456 attack attempt (file-other.rules)
 * 3:44446 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0454 attack attempt (file-other.rules)
 * 3:44419 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0445 attack attempt (protocol-scada.rules)
 * 3:44420 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2017-0440 attack attempt (protocol-scada.rules)
 * 3:44421 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44422 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0441 attack attempt (policy-other.rules)
 * 3:44423 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0444 attack attempt (policy-other.rules)
 * 3:44424 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44425 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44426 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44445 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44444 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0455 attack attempt (file-other.rules)
 * 3:44429 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)
 * 3:44428 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0443 attack attempt (policy-other.rules)

Modified Rules:


 * 3:44318 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)
 * 3:44319 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0438 attack attempt (file-other.rules)