Talos Rules 2017-09-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-image, file-other, os-other, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-09-28 16:46:05 UTC

Snort Subscriber Rules Update

Date: 2017-09-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44456 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules)
 * 1:44455 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules)
 * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules)
 * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules)
 * 1:35921 <-> DISABLED <-> SERVER-OTHER General Electric Proficy malicious log forwarding request attempt (server-other.rules)
 * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt  (server-other.rules)
 * 1:35917 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules)
 * 1:35916 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules)
 * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt  (server-other.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:35904 <-> DISABLED <-> SERVER-OTHER SCADA InduSoft Web Studio buffer overflow attempt (server-other.rules)
 * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt  (server-other.rules)
 * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules)
 * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules)
 * 1:35889 <-> DISABLED <-> PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt (protocol-scada.rules)
 * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules)
 * 1:35887 <-> DISABLED <-> POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt (policy-other.rules)
 * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules)
 * 1:35876 <-> DISABLED <-> FILE-OTHER InduSoft Web Studio insecure visual basic code execution attempt (file-other.rules)
 * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt  (browser-ie.rules)
 * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt  (browser-ie.rules)
 * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt  (browser-ie.rules)
 * 3:44457 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE Web UI user administration page access detected (policy-other.rules)
 * 3:44458 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP get attributes all packet processing memory leak attempt (protocol-scada.rules)
 * 3:44459 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP forward open packet processing null pointer dereference attempt (protocol-scada.rules)
 * 3:44460 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules)
 * 3:44461 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules)
 * 3:44462 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules)
 * 3:44463 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules)
 * 3:44464 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKEv2 session initialization denial of service attempt (server-other.rules)

Modified Rules:


 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules)
 * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt  (server-webapp.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER multiple operating systems DHCP option overflow attempt (os-other.rules)

2017-09-28 16:46:05 UTC

Snort Subscriber Rules Update

Date: 2017-09-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35916 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt  (server-other.rules)
 * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt  (server-other.rules)
 * 1:35904 <-> DISABLED <-> SERVER-OTHER SCADA InduSoft Web Studio buffer overflow attempt (server-other.rules)
 * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules)
 * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules)
 * 1:35889 <-> DISABLED <-> PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt (protocol-scada.rules)
 * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules)
 * 1:35887 <-> DISABLED <-> POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt (policy-other.rules)
 * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt  (browser-ie.rules)
 * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35876 <-> DISABLED <-> FILE-OTHER InduSoft Web Studio insecure visual basic code execution attempt (file-other.rules)
 * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt  (browser-ie.rules)
 * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules)
 * 1:35917 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules)
 * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt  (server-other.rules)
 * 1:44456 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules)
 * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:44455 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules)
 * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules)
 * 1:35921 <-> DISABLED <-> SERVER-OTHER General Electric Proficy malicious log forwarding request attempt (server-other.rules)
 * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules)
 * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt  (browser-ie.rules)
 * 3:44463 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules)
 * 3:44462 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules)
 * 3:44461 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules)
 * 3:44459 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP forward open packet processing null pointer dereference attempt (protocol-scada.rules)
 * 3:44460 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules)
 * 3:44457 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE Web UI user administration page access detected (policy-other.rules)
 * 3:44458 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP get attributes all packet processing memory leak attempt (protocol-scada.rules)
 * 3:44464 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKEv2 session initialization denial of service attempt (server-other.rules)

Modified Rules:


 * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt  (server-webapp.rules)
 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER multiple operating systems DHCP option overflow attempt (os-other.rules)

2017-09-28 16:46:05 UTC

Snort Subscriber Rules Update

Date: 2017-09-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35921 <-> DISABLED <-> SERVER-OTHER General Electric Proficy malicious log forwarding request attempt (server-other.rules)
 * 1:35920 <-> ENABLED <-> SERVER-OTHER General Electric Proficy memory leakage request attempt  (server-other.rules)
 * 1:35865 <-> ENABLED <-> BROWSER-IE Internet Explorer DataSource recordset remote code execution attempt  (browser-ie.rules)
 * 1:35876 <-> DISABLED <-> FILE-OTHER InduSoft Web Studio insecure visual basic code execution attempt (file-other.rules)
 * 1:44454 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi directory traversal attempt (server-webapp.rules)
 * 1:44455 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules)
 * 1:35889 <-> DISABLED <-> PROTOCOL-SCADA Kaskad SCADA arbitrary command execution attempt (protocol-scada.rules)
 * 1:35867 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt  (browser-ie.rules)
 * 1:35874 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35887 <-> DISABLED <-> POLICY-OTHER SCADA Engine BACnet OPC Server untrusted SQL query execution attempt (policy-other.rules)
 * 1:35910 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight information disclosure attempt  (server-other.rules)
 * 1:35888 <-> DISABLED <-> PROTOCOL-SCADA SCADA Engine OPC Server arbitrary file upload attempt (protocol-scada.rules)
 * 1:35917 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules)
 * 1:44456 <-> DISABLED <-> FILE-IMAGE Apple PICT Quickdraw image converter packType 4 buffer overflow attempt (file-image.rules)
 * 1:35893 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules)
 * 1:35866 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer XMLDOM double free corruption attempt  (browser-ie.rules)
 * 1:35873 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35875 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35909 <-> ENABLED <-> SERVER-OTHER Siemens Desigo Insight buffer overflow attempt  (server-other.rules)
 * 1:35896 <-> ENABLED <-> SERVER-OTHER GE Proficy CIMPLICITY Marquee Manager stack buffer overflow attempt  (server-other.rules)
 * 1:35916 <-> DISABLED <-> SERVER-OTHER Websense Triton Web Security untrusted remote file creation attempt (server-other.rules)
 * 1:35872 <-> DISABLED <-> BROWSER-PLUGINS Steema Software SL TeeChart Pro ActiveX clsid access (browser-plugins.rules)
 * 1:35892 <-> DISABLED <-> SERVER-OTHER GE Proficy Real-Time Information Portal arbitrary dll load attempt (server-other.rules)
 * 1:35886 <-> DISABLED <-> POLICY-OTHER Kaskad SCADA default username and password attempt (policy-other.rules)
 * 1:35904 <-> DISABLED <-> SERVER-OTHER SCADA InduSoft Web Studio buffer overflow attempt (server-other.rules)
 * 1:44453 <-> ENABLED <-> SERVER-WEBAPP D-Link hedwig.cgi NTP service configuration command injection attempt (server-webapp.rules)
 * 3:44463 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules)
 * 3:44459 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP forward open packet processing null pointer dereference attempt (protocol-scada.rules)
 * 3:44458 <-> ENABLED <-> PROTOCOL-SCADA Cisco IE2000 CIP get attributes all packet processing memory leak attempt (protocol-scada.rules)
 * 3:44457 <-> ENABLED <-> POLICY-OTHER Cisco IOS XE Web UI user administration page access detected (policy-other.rules)
 * 3:44462 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI rest path authentication bypass attempt (server-webapp.rules)
 * 3:44464 <-> ENABLED <-> SERVER-OTHER Cisco IOS IKEv2 session initialization denial of service attempt (server-other.rules)
 * 3:44461 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules)
 * 3:44460 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI resource path authentication bypass attempt (server-webapp.rules)

Modified Rules:


 * 1:43237 <-> ENABLED <-> SERVER-WEBAPP SysAid Enterprise auth bypass and remote file upload attempt  (server-webapp.rules)
 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP D-Link getcfg.php credential disclosure attempt (server-webapp.rules)
 * 3:7196 <-> ENABLED <-> OS-OTHER multiple operating systems DHCP option overflow attempt (os-other.rules)