Talos Rules 2017-11-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-office, file-other, file-pdf, malware-cnc, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-11-30 18:56:54 UTC

Snort Subscriber Rules Update

Date: 2017-11-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45075 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45076 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45067 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules)
 * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules)
 * 1:45066 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules)
 * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45078 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules)
 * 1:45073 <-> DISABLED <-> SERVER-WEBAPP Wireless IP Camera WIFICAM information leak attempt (server-webapp.rules)
 * 1:45071 <-> ENABLED <-> SERVER-SAMBA Samba write and unlock command memory leak attempt (server-samba.rules)
 * 1:45072 <-> ENABLED <-> SERVER-SAMBA Samba write command memory leak attempt (server-samba.rules)
 * 1:45053 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45070 <-> ENABLED <-> SERVER-SAMBA Samba write and close command memory leak attempt (server-samba.rules)
 * 1:45056 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45081 <-> DISABLED <-> SERVER-OTHER Geutebrueck GCore web server buffer overflow attempt (server-other.rules)
 * 1:45057 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45058 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules)
 * 1:45059 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules)
 * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules)
 * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45055 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45080 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror malicious flash file load attempt (exploit-kit.rules)
 * 1:45069 <-> ENABLED <-> SERVER-SAMBA Samba write andx command memory leak attempt (server-samba.rules)
 * 1:45079 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules)
 * 1:45051 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Tool.SMSBomber (blacklist.rules)
 * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection attempt (malware-cnc.rules)
 * 1:45054 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45077 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:32428 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32429 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)

2017-11-30 18:56:54 UTC

Snort Subscriber Rules Update

Date: 2017-11-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules)
 * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules)
 * 1:45069 <-> ENABLED <-> SERVER-SAMBA Samba write andx command memory leak attempt (server-samba.rules)
 * 1:45059 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules)
 * 1:45053 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45054 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45056 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45057 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45058 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules)
 * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules)
 * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45066 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules)
 * 1:45067 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules)
 * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection attempt (malware-cnc.rules)
 * 1:45070 <-> ENABLED <-> SERVER-SAMBA Samba write and close command memory leak attempt (server-samba.rules)
 * 1:45071 <-> ENABLED <-> SERVER-SAMBA Samba write and unlock command memory leak attempt (server-samba.rules)
 * 1:45072 <-> ENABLED <-> SERVER-SAMBA Samba write command memory leak attempt (server-samba.rules)
 * 1:45073 <-> DISABLED <-> SERVER-WEBAPP Wireless IP Camera WIFICAM information leak attempt (server-webapp.rules)
 * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45081 <-> DISABLED <-> SERVER-OTHER Geutebrueck GCore web server buffer overflow attempt (server-other.rules)
 * 1:45080 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror malicious flash file load attempt (exploit-kit.rules)
 * 1:45079 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules)
 * 1:45055 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45078 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules)
 * 1:45076 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45077 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45075 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45051 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Tool.SMSBomber (blacklist.rules)

Modified Rules:


 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:32428 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32429 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)

2017-11-30 18:56:54 UTC

Snort Subscriber Rules Update

Date: 2017-11-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45081 <-> DISABLED <-> SERVER-OTHER Geutebrueck GCore web server buffer overflow attempt (server-other.rules)
 * 1:45080 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror malicious flash file load attempt (exploit-kit.rules)
 * 1:45079 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules)
 * 1:45078 <-> DISABLED <-> SERVER-WEBAPP TP-Link WR1043ND router cross site request forgery attempt (server-webapp.rules)
 * 1:45077 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45076 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45075 <-> ENABLED <-> SERVER-WEBAPP WordPress Ultimate Form Builder plugin SQL injection attempt (server-webapp.rules)
 * 1:45074 <-> ENABLED <-> SERVER-SAMBA Samba unsigned connections attempt (server-samba.rules)
 * 1:45073 <-> DISABLED <-> SERVER-WEBAPP Wireless IP Camera WIFICAM information leak attempt (server-webapp.rules)
 * 1:45072 <-> ENABLED <-> SERVER-SAMBA Samba write command memory leak attempt (server-samba.rules)
 * 1:45071 <-> ENABLED <-> SERVER-SAMBA Samba write and unlock command memory leak attempt (server-samba.rules)
 * 1:45070 <-> ENABLED <-> SERVER-SAMBA Samba write and close command memory leak attempt (server-samba.rules)
 * 1:45069 <-> ENABLED <-> SERVER-SAMBA Samba write andx command memory leak attempt (server-samba.rules)
 * 1:45068 <-> DISABLED <-> SERVER-OTHER Oracle Identity Manager default login attempt (server-other.rules)
 * 1:45067 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules)
 * 1:45066 <-> DISABLED <-> SERVER-WEBAPP WordPress Duplicator cross site scripting attempt (server-webapp.rules)
 * 1:45065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45062 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected. (malware-cnc.rules)
 * 1:45061 <-> DISABLED <-> SERVER-WEBAPP Wordpress User History plugin cross site scripting attempt (server-webapp.rules)
 * 1:45060 <-> DISABLED <-> SERVER-WEBAPP pfSense system_groupmanager.php command injection attempt (server-webapp.rules)
 * 1:45059 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules)
 * 1:45058 <-> DISABLED <-> FILE-OTHER Microsoft Windows UAC bypass attempt (file-other.rules)
 * 1:45057 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45056 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45055 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45054 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45053 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb SQL injection attempt (server-webapp.rules)
 * 1:45051 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Win.Tool.SMSBomber (blacklist.rules)
 * 1:45050 <-> ENABLED <-> MALWARE-CNC Win.Trojan.IcedId outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:32428 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:32429 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:41095 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt (server-webapp.rules)
 * 1:41096 <-> DISABLED <-> SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt (server-webapp.rules)
 * 1:42475 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:42476 <-> DISABLED <-> FILE-PDF malformed embedded JPEG2000 image information disclosure attempt (file-pdf.rules)
 * 1:43598 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)
 * 1:43599 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer object type confusion remote code execution attempt (browser-ie.rules)