Talos Rules 2017-12-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, malware-cnc, malware-other, policy-social, protocol-rpc, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-12-07 14:42:09 UTC

Snort Subscriber Rules Update

Date: 2017-12-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45119 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45118 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules)
 * 1:45116 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45115 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45114 <-> ENABLED <-> MALWARE-CNC Catch-All malicious Chrome extension dropper outbound connection (malware-cnc.rules)
 * 1:45113 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules)
 * 1:45112 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules)
 * 1:45111 <-> DISABLED <-> SERVER-WEBAPP OrientDB database query attempt (server-webapp.rules)
 * 1:45110 <-> DISABLED <-> SERVER-WEBAPP OrientDB privilege escalation attempt (server-webapp.rules)
 * 1:45109 <-> DISABLED <-> SERVER-WEBAPP OrientDB remote code execution attempt (server-webapp.rules)
 * 1:45108 <-> DISABLED <-> PROTOCOL-RPC XDR string allocation denial of service attempt (protocol-rpc.rules)
 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sales.eu5.org - Adobe 0day C&C (blacklist.rules)
 * 1:29658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thirdbase.bugs3.com - Adobe 0day C&C (blacklist.rules)
 * 1:20694 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SSonce.A variant outbound connection (malware-cnc.rules)
 * 1:29656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain javaupdate.flashserv.net - Adobe 0day C&C (blacklist.rules)
 * 1:1790 <-> DISABLED <-> POLICY-SOCIAL IRC dns response (policy-social.rules)
 * 1:19392 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules)
 * 1:1605 <-> DISABLED <-> SERVER-OTHER iParty DOS attempt (server-other.rules)
 * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules)
 * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:34835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neos outbound connection (malware-cnc.rules)
 * 1:37101 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nessfi outbound connection (malware-cnc.rules)
 * 1:34799 <-> ENABLED <-> SERVER-WEBAPP UPnP AddPortMapping SOAP action command injection attempt (server-webapp.rules)
 * 1:29659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.mobilitysvc.com - Adobe 0day C&C (blacklist.rules)

2017-12-07 14:42:09 UTC

Snort Subscriber Rules Update

Date: 2017-12-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:45113 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules)
 * 1:45114 <-> ENABLED <-> MALWARE-CNC Catch-All malicious Chrome extension dropper outbound connection (malware-cnc.rules)
 * 1:45118 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45109 <-> DISABLED <-> SERVER-WEBAPP OrientDB remote code execution attempt (server-webapp.rules)
 * 1:45116 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45115 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45110 <-> DISABLED <-> SERVER-WEBAPP OrientDB privilege escalation attempt (server-webapp.rules)
 * 1:45108 <-> DISABLED <-> PROTOCOL-RPC XDR string allocation denial of service attempt (protocol-rpc.rules)
 * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules)
 * 1:45112 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules)
 * 1:45119 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45111 <-> DISABLED <-> SERVER-WEBAPP OrientDB database query attempt (server-webapp.rules)

Modified Rules:


 * 1:29656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain javaupdate.flashserv.net - Adobe 0day C&C (blacklist.rules)
 * 1:37101 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nessfi outbound connection (malware-cnc.rules)
 * 1:20694 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SSonce.A variant outbound connection (malware-cnc.rules)
 * 1:29658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thirdbase.bugs3.com - Adobe 0day C&C (blacklist.rules)
 * 1:29659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.mobilitysvc.com - Adobe 0day C&C (blacklist.rules)
 * 1:1605 <-> DISABLED <-> SERVER-OTHER iParty DOS attempt (server-other.rules)
 * 1:34799 <-> ENABLED <-> SERVER-WEBAPP UPnP AddPortMapping SOAP action command injection attempt (server-webapp.rules)
 * 1:19392 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules)
 * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules)
 * 1:34835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neos outbound connection (malware-cnc.rules)
 * 1:1790 <-> DISABLED <-> POLICY-SOCIAL IRC dns response (policy-social.rules)
 * 1:29657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sales.eu5.org - Adobe 0day C&C (blacklist.rules)
 * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)

2017-12-07 14:42:09 UTC

Snort Subscriber Rules Update

Date: 2017-12-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:45112 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules)
 * 1:45115 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45113 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager showresource.do SQL injection attempt (server-webapp.rules)
 * 1:45114 <-> ENABLED <-> MALWARE-CNC Catch-All malicious Chrome extension dropper outbound connection (malware-cnc.rules)
 * 1:45109 <-> DISABLED <-> SERVER-WEBAPP OrientDB remote code execution attempt (server-webapp.rules)
 * 1:45111 <-> DISABLED <-> SERVER-WEBAPP OrientDB database query attempt (server-webapp.rules)
 * 1:45119 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45108 <-> DISABLED <-> PROTOCOL-RPC XDR string allocation denial of service attempt (protocol-rpc.rules)
 * 1:45117 <-> ENABLED <-> SERVER-WEBAPP Huawei DeviceUpgrade command injection attempt (server-webapp.rules)
 * 1:45118 <-> ENABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45116 <-> DISABLED <-> SERVER-MAIL Multiple products non-ascii sender address spoofing attempt (server-mail.rules)
 * 1:45110 <-> DISABLED <-> SERVER-WEBAPP OrientDB privilege escalation attempt (server-webapp.rules)

Modified Rules:


 * 1:29658 <-> ENABLED <-> BLACKLIST DNS request for known malware domain thirdbase.bugs3.com - Adobe 0day C&C (blacklist.rules)
 * 1:20694 <-> DISABLED <-> MALWARE-CNC Win.Trojan.SSonce.A variant outbound connection (malware-cnc.rules)
 * 1:19392 <-> DISABLED <-> MALWARE-OTHER Keylogger Monitor.win32.perflogger (malware-other.rules)
 * 1:39726 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:29657 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sales.eu5.org - Adobe 0day C&C (blacklist.rules)
 * 1:34835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neos outbound connection (malware-cnc.rules)
 * 1:39725 <-> ENABLED <-> SERVER-WEBAPP Drupal RESTWS restws_page_callback command injection attempt (server-webapp.rules)
 * 1:1790 <-> DISABLED <-> POLICY-SOCIAL IRC dns response (policy-social.rules)
 * 1:1605 <-> DISABLED <-> SERVER-OTHER iParty DOS attempt (server-other.rules)
 * 1:17207 <-> DISABLED <-> SERVER-OTHER IBM Cognos Server backdoor account remote code execution attempt (server-other.rules)
 * 1:37101 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nessfi outbound connection (malware-cnc.rules)
 * 1:29656 <-> ENABLED <-> BLACKLIST DNS request for known malware domain javaupdate.flashserv.net - Adobe 0day C&C (blacklist.rules)
 * 1:29659 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.mobilitysvc.com - Adobe 0day C&C (blacklist.rules)
 * 1:34799 <-> ENABLED <-> SERVER-WEBAPP UPnP AddPortMapping SOAP action command injection attempt (server-webapp.rules)