Talos Rules 2017-10-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-10-12 14:34:02 UTC

Snort Subscriber Rules Update

Date: 2017-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44567 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44566 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security diagnostic.log information disclosure attempt (server-webapp.rules)
 * 1:44564 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44563 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules)
 * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules)
 * 1:44554 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Congur variant outbound connection detected (malware-cnc.rules)
 * 1:44553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:44552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44549 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:44548 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 3:44545 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules)
 * 3:41018 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules)
 * 3:41019 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules)
 * 3:44537 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster UploadFile.js arbitrary file upload attempt (server-webapp.rules)
 * 3:44558 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection serviceParamEdit.do cross site scripting attempt (server-webapp.rules)
 * 3:44538 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules)
 * 3:44539 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules)
 * 3:44540 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules)
 * 3:44541 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition configuration change attempt (server-other.rules)
 * 3:44542 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition remote code execution attempt (server-other.rules)
 * 3:44543 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules)
 * 3:44544 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules)
 * 3:44556 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection edit-nuance.do cross site scripting attempt (server-webapp.rules)
 * 3:44557 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection nick-name.do cross site scripting attempt (server-webapp.rules)
 * 3:44555 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePower Management Center cross site scripting attempt (server-webapp.rules)
 * 3:44546 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)
 * 3:44547 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)

Modified Rules:


 * 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:44361 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:38477 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:38478 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules)
 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:44359 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:44360 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)

2017-10-12 14:34:02 UTC

Snort Subscriber Rules Update

Date: 2017-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44567 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44566 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security diagnostic.log information disclosure attempt (server-webapp.rules)
 * 1:44564 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44562 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44554 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Congur variant outbound connection detected (malware-cnc.rules)
 * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44548 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:44549 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:44553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:44568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44563 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules)
 * 3:44545 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules)
 * 3:41018 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules)
 * 3:44558 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection serviceParamEdit.do cross site scripting attempt (server-webapp.rules)
 * 3:41019 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules)
 * 3:44537 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster UploadFile.js arbitrary file upload attempt (server-webapp.rules)
 * 3:44555 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePower Management Center cross site scripting attempt (server-webapp.rules)
 * 3:44557 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection nick-name.do cross site scripting attempt (server-webapp.rules)
 * 3:44538 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules)
 * 3:44539 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules)
 * 3:44540 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules)
 * 3:44541 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition configuration change attempt (server-other.rules)
 * 3:44542 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition remote code execution attempt (server-other.rules)
 * 3:44543 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules)
 * 3:44556 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection edit-nuance.do cross site scripting attempt (server-webapp.rules)
 * 3:44544 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules)
 * 3:44546 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)
 * 3:44547 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)

Modified Rules:


 * 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules)
 * 1:38477 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:44361 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules)
 * 1:38478 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:44359 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:44360 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)

2017-10-12 14:34:02 UTC

Snort Subscriber Rules Update

Date: 2017-10-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44562 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44551 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44566 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44561 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan Messaging Security diagnostic.log information disclosure attempt (server-webapp.rules)
 * 1:44564 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44563 <-> DISABLED <-> MALWARE-CNC Win.Exploit.Empire variant outbound connection detected (malware-cnc.rules)
 * 1:44553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:44552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:44554 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Congur variant outbound connection detected (malware-cnc.rules)
 * 1:44550 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed EMF memory corruption attempt (file-image.rules)
 * 1:44549 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:44548 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:44560 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules)
 * 1:44567 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 1:44559 <-> ENABLED <-> MALWARE-CNC Word.Trojan.Emotet obfuscated powershell (malware-cnc.rules)
 * 1:44568 <-> DISABLED <-> SERVER-WEBAPP Wordpress Customizer directory traversal attempt (server-webapp.rules)
 * 3:44547 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)
 * 3:44556 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection edit-nuance.do cross site scripting attempt (server-webapp.rules)
 * 3:41018 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules)
 * 3:44545 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules)
 * 3:41019 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt (server-webapp.rules)
 * 3:44555 <-> ENABLED <-> SERVER-WEBAPP Cisco FirePower Management Center cross site scripting attempt (server-webapp.rules)
 * 3:44537 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster UploadFile.js arbitrary file upload attempt (server-webapp.rules)
 * 3:44557 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection nick-name.do cross site scripting attempt (server-webapp.rules)
 * 3:44538 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules)
 * 3:44539 <-> ENABLED <-> SERVER-WEBAPP NEC ExpressCluster LogCollect.js command injection attempt (server-webapp.rules)
 * 3:44558 <-> ENABLED <-> SERVER-WEBAPP Cisco Unity Connection serviceParamEdit.do cross site scripting attempt (server-webapp.rules)
 * 3:44540 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules)
 * 3:44541 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition configuration change attempt (server-other.rules)
 * 3:44542 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition remote code execution attempt (server-other.rules)
 * 3:44543 <-> ENABLED <-> SERVER-OTHER Jiangmin Anti-Virus Network Edition information disclosure attempt (server-other.rules)
 * 3:44544 <-> ENABLED <-> FILE-PDF Nitro Pro PDF document field dereference use after free attempt (file-pdf.rules)
 * 3:44546 <-> ENABLED <-> FILE-PDF Nitro Pro use after free remote code execution attempt (file-pdf.rules)

Modified Rules:


 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle Database Server authentication bypass attempt (server-other.rules)
 * 1:44361 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:44359 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:44360 <-> ENABLED <-> SERVER-WEBAPP Trend Micro proxy_controller.php command injection attempt (server-webapp.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:38477 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:43638 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:43640 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel null pointer dereference attempt (file-office.rules)
 * 1:38478 <-> DISABLED <-> BROWSER-IE Microsoft Edge webnote exit event css arbitrary file read attempt (browser-ie.rules)
 * 1:37146 <-> ENABLED <-> SERVER-OTHER Juniper ScreenOS unauthorized backdoor access attempt (server-other.rules)