Talos Rules 2017-10-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, file-other, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-10-17 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2017-10-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44604 <-> DISABLED <-> SERVER-OTHER Novell eDirectory LDAP server buffer overflow attempt (server-other.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules)
 * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules)
 * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules)
 * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules)
 * 1:44592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange (malware-cnc.rules)
 * 1:44591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange (malware-cnc.rules)
 * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules)
 * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules)
 * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules)
 * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules)
 * 1:44584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules)
 * 1:44583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules)
 * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules)
 * 1:44581 <-> DISABLED <-> SERVER-OTHER TrendMicro OfficeScan LogonUser buffer overflow attempt (server-other.rules)
 * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44578 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS HelpDesk App supportutils.php SQL injection attempt (server-webapp.rules)
 * 1:44577 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ cross site scripting attempt (server-other.rules)
 * 1:44576 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ arbitrary file upload attempt (server-other.rules)
 * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:44574 <-> DISABLED <-> SERVER-OTHER Ipass Client control pipe remote code execution attempt (server-other.rules)
 * 1:44573 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44572 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44571 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 3:44605 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt  (server-webapp.rules)
 * 3:44606 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt  (server-webapp.rules)
 * 3:44594 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules)
 * 3:44593 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules)
 * 3:44589 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)
 * 3:44590 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)

Modified Rules:


 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle DBMS AUTH_ALTER_SESSION SQL injection attempt (server-other.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:17572 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt (os-windows.rules)

2017-10-17 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2017-10-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44578 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS HelpDesk App supportutils.php SQL injection attempt (server-webapp.rules)
 * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:44572 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:44574 <-> DISABLED <-> SERVER-OTHER Ipass Client control pipe remote code execution attempt (server-other.rules)
 * 1:44571 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44576 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ arbitrary file upload attempt (server-other.rules)
 * 1:44577 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ cross site scripting attempt (server-other.rules)
 * 1:44581 <-> DISABLED <-> SERVER-OTHER TrendMicro OfficeScan LogonUser buffer overflow attempt (server-other.rules)
 * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules)
 * 1:44583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules)
 * 1:44584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules)
 * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules)
 * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules)
 * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules)
 * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules)
 * 1:44591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange (malware-cnc.rules)
 * 1:44592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange (malware-cnc.rules)
 * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules)
 * 1:44604 <-> DISABLED <-> SERVER-OTHER Novell eDirectory LDAP server buffer overflow attempt (server-other.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44573 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules)
 * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules)
 * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules)
 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules)
 * 3:44606 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt  (server-webapp.rules)
 * 3:44594 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules)
 * 3:44605 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt  (server-webapp.rules)
 * 3:44593 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules)
 * 3:44589 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)
 * 3:44590 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)

Modified Rules:


 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle DBMS AUTH_ALTER_SESSION SQL injection attempt (server-other.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:17572 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt (os-windows.rules)

2017-10-17 13:09:55 UTC

Snort Subscriber Rules Update

Date: 2017-10-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44597 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules)
 * 1:44596 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules)
 * 1:44582 <-> ENABLED <-> SERVER-WEBAPP Trend Micro widget system authentication bypass attempt (server-webapp.rules)
 * 1:44581 <-> DISABLED <-> SERVER-OTHER TrendMicro OfficeScan LogonUser buffer overflow attempt (server-other.rules)
 * 1:44577 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ cross site scripting attempt (server-other.rules)
 * 1:44578 <-> DISABLED <-> SERVER-WEBAPP QNAP NAS HelpDesk App supportutils.php SQL injection attempt (server-webapp.rules)
 * 1:44599 <-> DISABLED <-> FILE-OFFICE Microsoft Office oci.dll dll-load exploit attempt (file-office.rules)
 * 1:44576 <-> DISABLED <-> SERVER-OTHER Samsung Security Manager ActiveMQ arbitrary file upload attempt (server-other.rules)
 * 1:44570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:44571 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44572 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44600 <-> DISABLED <-> FILE-OFFICE Microsoft Office iasdatastore2.dll dll-load exploit attempt (file-office.rules)
 * 1:44569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection attempt (malware-cnc.rules)
 * 1:44604 <-> DISABLED <-> SERVER-OTHER Novell eDirectory LDAP server buffer overflow attempt (server-other.rules)
 * 1:44602 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44603 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:44573 <-> ENABLED <-> SERVER-WEBAPP Trend Micro Mobile Security Enterprise web_service.dll SQL injection attempt (server-webapp.rules)
 * 1:44574 <-> DISABLED <-> SERVER-OTHER Ipass Client control pipe remote code execution attempt (server-other.rules)
 * 1:44601 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules)
 * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:44579 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44580 <-> DISABLED <-> FILE-OFFICE Microsoft Office dde field code execution attempt (file-office.rules)
 * 1:44583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules)
 * 1:44584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player array type confusion attempt (file-flash.rules)
 * 1:44585 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules)
 * 1:44586 <-> DISABLED <-> FILE-OFFICE Microsoft Word docx object type confusion attempt (file-office.rules)
 * 1:44587 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules)
 * 1:44588 <-> DISABLED <-> SERVER-WEBAPP Trend Micro OfficeScan server side request forgery attempt (server-webapp.rules)
 * 1:44591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange (malware-cnc.rules)
 * 1:44598 <-> DISABLED <-> FILE-OFFICE Microsoft Office ociw32.dll dll-load exploit attempt (file-office.rules)
 * 1:44592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange (malware-cnc.rules)
 * 1:44595 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DNSMessenger outbound connection (malware-cnc.rules)
 * 3:44606 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt  (server-webapp.rules)
 * 3:44593 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules)
 * 3:44594 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0462 attack attempt (file-office.rules)
 * 3:44605 <-> ENABLED <-> SERVER-WEBAPP Nagios XI Incident Manager SQL injection attempt  (server-webapp.rules)
 * 3:44590 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)
 * 3:44589 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0463 attack attempt (file-office.rules)

Modified Rules:


 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:43581 <-> DISABLED <-> SERVER-OTHER Oracle DBMS AUTH_ALTER_SESSION SQL injection attempt (server-other.rules)
 * 1:21484 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)
 * 1:17572 <-> DISABLED <-> OS-WINDOWS Microsoft XML Core Services cross-site information disclosure attempt (os-windows.rules)
 * 1:44473 <-> DISABLED <-> FILE-OTHER ZIP file name overflow attempt (file-other.rules)