Talos Rules 2017-11-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the indicator-compromise, policy-other, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-11-02 15:27:40 UTC

Snort Subscriber Rules Update

Date: 2017-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter windows x64 reverse_tcp stage payload download attempt (indicator-compromise.rules)
 * 1:44721 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Manager process arbitrary file execution attempt (server-other.rules)
 * 1:44720 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44719 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44718 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44717 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules)
 * 1:44716 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44715 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules)
 * 1:44706 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44705 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44704 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44703 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 3:44712 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44713 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)
 * 3:44710 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44711 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44708 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44709 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44707 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44727 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44726 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientStatisticTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44723 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules)
 * 3:44724 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Smart Licensing command injection attempt (server-webapp.rules)
 * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44722 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules)
 * 3:44714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)

Modified Rules:


 * 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)

2017-11-02 15:27:40 UTC

Snort Subscriber Rules Update

Date: 2017-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44721 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Manager process arbitrary file execution attempt (server-other.rules)
 * 1:44705 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44703 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44704 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44715 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules)
 * 1:44716 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44717 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules)
 * 1:44706 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44718 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44719 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44720 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter windows x64 reverse_tcp stage payload download attempt (indicator-compromise.rules)
 * 3:44722 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules)
 * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44724 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Smart Licensing command injection attempt (server-webapp.rules)
 * 3:44712 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44708 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44710 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44713 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)
 * 3:44711 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44709 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44707 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44727 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44723 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules)
 * 3:44726 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientStatisticTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)

Modified Rules:


 * 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)

2017-11-02 15:27:40 UTC

Snort Subscriber Rules Update

Date: 2017-11-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44705 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44718 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44719 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44716 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44720 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate arbitrary file write attempt (server-other.rules)
 * 1:44717 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules)
 * 1:44715 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Collector process remote start attempt (server-other.rules)
 * 1:44706 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44704 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44721 <-> DISABLED <-> SERVER-OTHER Oracle GoldenGate Manager process arbitrary file execution attempt (server-other.rules)
 * 1:44703 <-> DISABLED <-> POLICY-OTHER Apache OpenOffice malicious macro exploitation attempt (policy-other.rules)
 * 1:44728 <-> DISABLED <-> INDICATOR-COMPROMISE Meterpreter windows x64 reverse_tcp stage payload download attempt (indicator-compromise.rules)
 * 3:44707 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44726 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientStatisticTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44724 <-> ENABLED <-> SERVER-WEBAPP Cisco Firepower Smart Licensing command injection attempt (server-webapp.rules)
 * 3:44723 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules)
 * 3:44708 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44713 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)
 * 3:44709 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44710 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44711 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44712 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0471 attack attempt (server-webapp.rules)
 * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44727 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller cldcClientTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44722 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration Provisioning pmclasschooser.xml SQL injection attempt (server-webapp.rules)
 * 3:44714 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0464 attack attempt (policy-other.rules)

Modified Rules:


 * 1:29498 <-> DISABLED <-> SERVER-WEBAPP HP Intelligent Management Center sdFileDownload information disclosure attempt (server-webapp.rules)