Talos Rules 2017-11-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-image, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-11-16 15:45:29 UTC

Snort Subscriber Rules Update

Date: 2017-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44872 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:44883 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules)
 * 1:44873 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44878 <-> DISABLED <-> SERVER-OTHER Mako Web Server arbitrary file upload attempt (server-other.rules)
 * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:44877 <-> DISABLED <-> SERVER-OTHER  Citrix XenApp and XenDesktop XML service memory corruption attempt (server-other.rules)
 * 1:44879 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules)
 * 1:44874 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44871 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:44864 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules)
 * 1:44865 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules)
 * 1:44881 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules)
 * 1:44884 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules)
 * 1:44885 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules)
 * 1:44882 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules)
 * 1:44866 <-> DISABLED <-> SERVER-WEBAPP Xplico decoding manager daemon command injection attempt (server-webapp.rules)
 * 1:44880 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules)

Modified Rules:


 * 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules)
 * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:28615 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download attempt (exploit-kit.rules)
 * 1:13638 <-> DISABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.VirusHeat (blacklist.rules)
 * 1:27666 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules)
 * 1:28614 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
 * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)

2017-11-16 15:45:29 UTC

Snort Subscriber Rules Update

Date: 2017-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44877 <-> DISABLED <-> SERVER-OTHER  Citrix XenApp and XenDesktop XML service memory corruption attempt (server-other.rules)
 * 1:44873 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44865 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules)
 * 1:44872 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:44874 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:44871 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:44866 <-> DISABLED <-> SERVER-WEBAPP Xplico decoding manager daemon command injection attempt (server-webapp.rules)
 * 1:44879 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules)
 * 1:44864 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules)
 * 1:44878 <-> DISABLED <-> SERVER-OTHER Mako Web Server arbitrary file upload attempt (server-other.rules)
 * 1:44880 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules)
 * 1:44881 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules)
 * 1:44882 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules)
 * 1:44883 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules)
 * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules)
 * 1:44885 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules)
 * 1:44884 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules)

Modified Rules:


 * 1:13638 <-> DISABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.VirusHeat (blacklist.rules)
 * 1:27666 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules)
 * 1:28614 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:28615 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download attempt (exploit-kit.rules)
 * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules)
 * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
 * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)

2017-11-16 15:45:29 UTC

Snort Subscriber Rules Update

Date: 2017-11-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44885 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules)
 * 1:44884 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat XPS unicode glyph pointer out of bounds (file-image.rules)
 * 1:44883 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules)
 * 1:44882 <-> DISABLED <-> FILE-PDF Adobe Acrobat acrobat URI handler security bypass (file-pdf.rules)
 * 1:44881 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules)
 * 1:44880 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF EMR_STRETCHDIBITS memory corruption attempt (file-image.rules)
 * 1:44879 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules)
 * 1:44878 <-> DISABLED <-> SERVER-OTHER Mako Web Server arbitrary file upload attempt (server-other.rules)
 * 1:44877 <-> DISABLED <-> SERVER-OTHER  Citrix XenApp and XenDesktop XML service memory corruption attempt (server-other.rules)
 * 1:44876 <-> ENABLED <-> MALWARE-CNC Malicious VBA Dropper outbound connection detected (malware-cnc.rules)
 * 1:44875 <-> ENABLED <-> INDICATOR-COMPROMISE Malicious VBA script detected (indicator-compromise.rules)
 * 1:44874 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44873 <-> ENABLED <-> FILE-PDF Adobe Acrobat addAnnot object untrusted pointer dereference attempt (file-pdf.rules)
 * 1:44872 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:44871 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:44866 <-> DISABLED <-> SERVER-WEBAPP Xplico decoding manager daemon command injection attempt (server-webapp.rules)
 * 1:44865 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules)
 * 1:44864 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer OLE auto-open attempt (indicator-compromise.rules)

Modified Rules:


 * 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:35507 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:35508 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer array prototype type confusion memory corruption attempt (browser-ie.rules)
 * 1:34824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules)
 * 1:34825 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer moveEnd information disclosure attempt (browser-ie.rules)
 * 1:28614 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page (exploit-kit.rules)
 * 1:28615 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit exploit download attempt (exploit-kit.rules)
 * 1:13638 <-> DISABLED <-> BLACKLIST User-Agent known Adware user-agent string - Win.Adware.VirusHeat (blacklist.rules)
 * 1:27666 <-> DISABLED <-> SERVER-OTHER ISC BIND 9 DNS rdata length handling remote denial of service attempt (server-other.rules)
 * 3:43120 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)
 * 3:43121 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0356 attack attempt (file-pdf.rules)