Talos Rules 2017-10-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, indicator-compromise, indicator-obfuscation, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-10-19 14:41:09 UTC

Snort Subscriber Rules Update

Date: 2017-10-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules)
 * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)
 * 1:44630 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44629 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44628 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules)
 * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules)
 * 1:44613 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules)
 * 1:44612 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules)
 * 1:44611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules)
 * 1:44610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules)
 * 1:44609 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 1:44608 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 1:44607 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 3:44614 <-> ENABLED <-> SERVER-WEBAPP D-Link soap.cgi service command injection attempt (server-webapp.rules)
 * 3:44624 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44625 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44626 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44627 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)

2017-10-19 14:41:09 UTC

Snort Subscriber Rules Update

Date: 2017-10-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44609 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 1:44610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules)
 * 1:44612 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules)
 * 1:44611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules)
 * 1:44608 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 1:44613 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules)
 * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules)
 * 1:44616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44607 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules)
 * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules)
 * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)
 * 1:44630 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44629 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44628 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 3:44614 <-> ENABLED <-> SERVER-WEBAPP D-Link soap.cgi service command injection attempt (server-webapp.rules)
 * 3:44624 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44625 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44626 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44627 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)

2017-10-19 14:41:09 UTC

Snort Subscriber Rules Update

Date: 2017-10-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44629 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44615 <-> DISABLED <-> INDICATOR-OBFUSCATION suspicious javascript deobfuscation calls attempt (indicator-obfuscation.rules)
 * 1:44620 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44619 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules)
 * 1:44609 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 1:44607 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 1:44616 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44617 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 1:44631 <-> DISABLED <-> SERVER-WEBAPP Wordpress content cross site scripting attempt (server-webapp.rules)
 * 1:44613 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules)
 * 1:44612 <-> DISABLED <-> INDICATOR-COMPROMISE VBscript downloader detected (indicator-compromise.rules)
 * 1:44621 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44632 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin bbPress comment cross site scripting attempt (server-webapp.rules)
 * 1:44611 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected (malware-cnc.rules)
 * 1:44622 <-> ENABLED <-> MALWARE-CNC Android Red Alert Trojan outbound connection attempt (malware-cnc.rules)
 * 1:44623 <-> DISABLED <-> POLICY-OTHER EMC Autostart default domain login attempt (policy-other.rules)
 * 1:44628 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44630 <-> DISABLED <-> OS-WINDOWS Attempted DNSSEC NSEC3 buffer overflow attempt (os-windows.rules)
 * 1:44608 <-> DISABLED <-> SERVER-WEBAPP HP IMC userSelectPagingContent Java expression language injection attempt (server-webapp.rules)
 * 3:44614 <-> ENABLED <-> SERVER-WEBAPP D-Link soap.cgi service command injection attempt (server-webapp.rules)
 * 3:44624 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44625 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44626 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)
 * 3:44627 <-> ENABLED <-> SERVER-WEBAPP TP-Link syslog.filter.json command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:44434 <-> DISABLED <-> INDICATOR-COMPROMISE possible Apache HTTP Server OPTIONS memory leak disclosure attempt (indicator-compromise.rules)
 * 1:2570 <-> DISABLED <-> SERVER-WEBAPP invalid HTTP version string (server-webapp.rules)
 * 1:35170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:35171 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer MutationObserver use after free attempt (browser-ie.rules)
 * 1:42894 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif variant outbound connection (malware-cnc.rules)
 * 3:10480 <-> ENABLED <-> SERVER-OTHER imail ldap buffer overflow exploit attempt (server-other.rules)