Talos Rules 2017-10-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-multimedia, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-10-05 13:25:21 UTC

Snort Subscriber Rules Update

Date: 2017-10-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44497 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt (server-webapp.rules)
 * 1:44496 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44495 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44494 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44493 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ONVIF device_service SQL injection attempt (server-webapp.rules)
 * 1:44492 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44491 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44490 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44489 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44488 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44487 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44486 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44485 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44484 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 3:44498 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44499 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44500 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44503 <-> ENABLED <-> SERVER-WEBAPP Cisco Adaptive Security Appliance direct authentication denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:43798 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19403 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt (file-multimedia.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules)
 * 1:43794 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:43795 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:43797 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:17128 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt (file-multimedia.rules)

2017-10-05 13:25:21 UTC

Snort Subscriber Rules Update

Date: 2017-10-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44496 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44492 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44489 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44493 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ONVIF device_service SQL injection attempt (server-webapp.rules)
 * 1:44491 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:44484 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44485 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44486 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44487 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44494 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44488 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44495 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44497 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt (server-webapp.rules)
 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44490 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 3:44500 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44499 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44503 <-> ENABLED <-> SERVER-WEBAPP Cisco Adaptive Security Appliance direct authentication denial of service attempt (server-webapp.rules)
 * 3:44498 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:43797 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:43795 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules)
 * 1:43794 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19403 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt (file-multimedia.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:43798 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:17128 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt (file-multimedia.rules)

2017-10-05 13:25:21 UTC

Snort Subscriber Rules Update

Date: 2017-10-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44502 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44491 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44490 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44489 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44488 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44485 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44487 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44484 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44486 <-> DISABLED <-> POLICY-OTHER SMBv1 protocol detection attempt (policy-other.rules)
 * 1:44483 <-> DISABLED <-> SERVER-OTHER Supervisord remote code execution attempt (server-other.rules)
 * 1:44492 <-> DISABLED <-> SERVER-WEBAPP ZyXEL Router Firmware qos_queue_add.cgi command injection attempt (server-webapp.rules)
 * 1:44495 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44501 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess buffer overflow attempt (server-other.rules)
 * 1:44497 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras information disclosure attempt (server-webapp.rules)
 * 1:44494 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 1:44493 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ONVIF device_service SQL injection attempt (server-webapp.rules)
 * 1:44496 <-> DISABLED <-> SERVER-WEBAPP Faleemi IP Cameras ftp.cgi command injection attempt (server-webapp.rules)
 * 3:44498 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44499 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44500 <-> ENABLED <-> SERVER-WEBAPP Cisco License Manager ReportCSV directory traversal attempt (server-webapp.rules)
 * 3:44503 <-> ENABLED <-> SERVER-WEBAPP Cisco Adaptive Security Appliance direct authentication denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:17128 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt (file-multimedia.rules)
 * 1:43795 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:42836 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42835 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:42838 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Backdoor.Chopper (blacklist.rules)
 * 1:42834 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:19403 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows AVI cinepak codec decompression remote code execution attempt (file-multimedia.rules)
 * 1:42837 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:43798 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:43794 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)
 * 1:43797 <-> DISABLED <-> FILE-OTHER Schneider Electric VAMSET CFG file heap buffer overflow attempt (file-other.rules)