Talos Rules 2017-10-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, malware-cnc, malware-other, netbios, os-windows, protocol-dns, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-10-25 21:58:52 UTC

Snort Subscriber Rules Update

Date: 2017-10-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44664 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows shell.application object ShellExecute attempt (browser-plugins.rules)
 * 1:44663 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS SNMP security bypass attempt (server-other.rules)
 * 1:44662 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules)
 * 1:44661 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules)
 * 1:44660 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 command execution attempt (server-other.rules)
 * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection attempt (malware-cnc.rules)
 * 1:44658 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup storage API command injection attempt (server-webapp.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules)
 * 1:44656 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules)
 * 1:44654 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules)
 * 1:44653 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet (malware-cnc.rules)
 * 1:44652 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules)
 * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules)
 * 1:44650 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:44648 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules)
 * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules)
 * 1:44645 <-> DISABLED <-> SERVER-WEBAPP  pSys index.php shownews parameter SQL injection attempt (server-webapp.rules)
 * 1:44644 <-> DISABLED <-> SERVER-WEBAPP  pSys index.php shownews parameter SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules)
 * 1:44305 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 1:44306 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules)
 * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)

2017-10-25 21:58:52 UTC

Snort Subscriber Rules Update

Date: 2017-10-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection attempt (malware-cnc.rules)
 * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules)
 * 1:44645 <-> DISABLED <-> SERVER-WEBAPP  pSys index.php shownews parameter SQL injection attempt (server-webapp.rules)
 * 1:44648 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:44650 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules)
 * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules)
 * 1:44652 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules)
 * 1:44653 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet (malware-cnc.rules)
 * 1:44654 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules)
 * 1:44656 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules)
 * 1:44658 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup storage API command injection attempt (server-webapp.rules)
 * 1:44664 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows shell.application object ShellExecute attempt (browser-plugins.rules)
 * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:44663 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS SNMP security bypass attempt (server-other.rules)
 * 1:44662 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules)
 * 1:44644 <-> DISABLED <-> SERVER-WEBAPP  pSys index.php shownews parameter SQL injection attempt (server-webapp.rules)
 * 1:44661 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules)
 * 1:44660 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 command execution attempt (server-other.rules)

Modified Rules:


 * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules)
 * 1:44305 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 1:44306 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules)
 * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)

2017-10-25 21:58:52 UTC

Snort Subscriber Rules Update

Date: 2017-10-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44660 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 command execution attempt (server-other.rules)
 * 1:44648 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules)
 * 1:44646 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt (malware-other.rules)
 * 1:44650 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt (malware-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:44664 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows shell.application object ShellExecute attempt (browser-plugins.rules)
 * 1:44645 <-> DISABLED <-> SERVER-WEBAPP  pSys index.php shownews parameter SQL injection attempt (server-webapp.rules)
 * 1:44651 <-> DISABLED <-> NETBIOS SMB NTLMSSP authentication brute force attempt (netbios.rules)
 * 1:44652 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules)
 * 1:44653 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet (malware-cnc.rules)
 * 1:44654 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules)
 * 1:44655 <-> DISABLED <-> MALWARE-CNC IoT Reaper botnet dropper (malware-cnc.rules)
 * 1:44656 <-> ENABLED <-> MALWARE-CNC IoT Reaper botnet CNC (malware-cnc.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules)
 * 1:44658 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup storage API command injection attempt (server-webapp.rules)
 * 1:44659 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wraut variant outbound connection attempt (malware-cnc.rules)
 * 1:44662 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules)
 * 1:44644 <-> DISABLED <-> SERVER-WEBAPP  pSys index.php shownews parameter SQL injection attempt (server-webapp.rules)
 * 1:44663 <-> DISABLED <-> SERVER-OTHER Mikrotik RouterOS SNMP security bypass attempt (server-other.rules)
 * 1:44661 <-> DISABLED <-> SERVER-OTHER D-Link DIR-300 and DIR-600 information disclosure attempt (server-other.rules)
 * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

Modified Rules:


 * 1:44306 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 1:42862 <-> DISABLED <-> PROTOCOL-FTP Easy File Sharing FTP server directory traversal attempt (protocol-ftp.rules)
 * 1:44305 <-> DISABLED <-> OS-WINDOWS Microsoft DirectShow memory corruption attempt (os-windows.rules)
 * 3:21354 <-> ENABLED <-> PROTOCOL-DNS dns query - storing query and txid (protocol-dns.rules)
 * 3:21355 <-> ENABLED <-> PROTOCOL-DNS potential dns cache poisoning attempt - mismatched txid (protocol-dns.rules)