Talos Rules 2017-12-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-executable, file-other, malware-cnc, malware-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-12-19 14:27:21 UTC

Snort Subscriber Rules Update

Date: 2017-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45198 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess dcerpc service opcode 80061 stack buffer overflow attempt (server-other.rules)
 * 1:45207 <-> DISABLED <-> PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt (protocol-scada.rules)
 * 1:45199 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules)
 * 1:45200 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules)
 * 1:45204 <-> DISABLED <-> SERVER-WEBAPP ActiveCalendar css cross site scripting attempt (server-webapp.rules)
 * 1:45218 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead CGI information disclosure attempt (server-webapp.rules)
 * 1:45213 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45202 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:45208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules)
 * 1:45201 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45205 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:45210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45219 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead LD_preload code execution attempt (server-webapp.rules)
 * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules)
 * 1:45221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nautilus outbound call (malware-cnc.rules)
 * 1:45211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules)
 * 1:45203 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 3:45216 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules)
 * 3:45217 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules)
 * 3:45220 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0507 attack attempt (server-other.rules)
 * 3:45222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)
 * 3:45223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:31513 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:25310 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:39107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection (malware-cnc.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:39106 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection (malware-cnc.rules)
 * 1:31325 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules)
 * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:25309 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:17363 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules)
 * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)

2017-12-19 14:27:21 UTC

Snort Subscriber Rules Update

Date: 2017-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45201 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45202 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:45213 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45204 <-> DISABLED <-> SERVER-WEBAPP ActiveCalendar css cross site scripting attempt (server-webapp.rules)
 * 1:45209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules)
 * 1:45210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules)
 * 1:45198 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess dcerpc service opcode 80061 stack buffer overflow attempt (server-other.rules)
 * 1:45221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nautilus outbound call (malware-cnc.rules)
 * 1:45219 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead LD_preload code execution attempt (server-webapp.rules)
 * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules)
 * 1:45203 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:45212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules)
 * 1:45205 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:45207 <-> DISABLED <-> PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt (protocol-scada.rules)
 * 1:45199 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45200 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45218 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead CGI information disclosure attempt (server-webapp.rules)
 * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules)
 * 3:45216 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules)
 * 3:45217 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules)
 * 3:45220 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0507 attack attempt (server-other.rules)
 * 3:45222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)
 * 3:45223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:39106 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection (malware-cnc.rules)
 * 1:31325 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules)
 * 1:39107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection (malware-cnc.rules)
 * 1:31513 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules)
 * 1:25309 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:17363 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules)
 * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:25310 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)

2017-12-19 14:27:21 UTC

Snort Subscriber Rules Update

Date: 2017-12-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45205 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:45200 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45203 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:45219 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead LD_preload code execution attempt (server-webapp.rules)
 * 1:45212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45204 <-> DISABLED <-> SERVER-WEBAPP ActiveCalendar css cross site scripting attempt (server-webapp.rules)
 * 1:45207 <-> DISABLED <-> PROTOCOL-SCADA WelinTech Kingview History Server denial of service attempt (protocol-scada.rules)
 * 1:45214 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules)
 * 1:45211 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45201 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45208 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules)
 * 1:45215 <-> DISABLED <-> FILE-OTHER Microsoft Word DDEauto code execution attempt (file-other.rules)
 * 1:45213 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45202 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:45221 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Nautilus outbound call (malware-cnc.rules)
 * 1:45198 <-> DISABLED <-> SERVER-OTHER Advantech WebAccess dcerpc service opcode 80061 stack buffer overflow attempt (server-other.rules)
 * 1:45206 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules)
 * 1:45218 <-> ENABLED <-> SERVER-WEBAPP Embedthis GoAhead CGI information disclosure attempt (server-webapp.rules)
 * 1:45209 <-> ENABLED <-> MALWARE-CNC Win.Trojan.VEye2 remote access tool download (malware-cnc.rules)
 * 1:45199 <-> DISABLED <-> SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt (server-other.rules)
 * 1:45210 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 3:45216 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules)
 * 3:45217 <-> ENABLED <-> FILE-EXECUTABLE TRUFFLEHUNTER TALOS-2017-0509 attack attempt (file-executable.rules)
 * 3:45220 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0507 attack attempt (server-other.rules)
 * 3:45222 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)
 * 3:45223 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0508 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:25310 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:39107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection (malware-cnc.rules)
 * 1:19620 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:40989 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:25309 <-> DISABLED <-> FILE-OTHER Adobe Audition Session file stack buffer overflow attempt (file-other.rules)
 * 1:44649 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:19618 <-> DISABLED <-> FILE-OTHER Multiple products dwmapi.dll dll-load exploit attempt (file-other.rules)
 * 1:31325 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules)
 * 1:39106 <-> ENABLED <-> MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection (malware-cnc.rules)
 * 1:17363 <-> DISABLED <-> FILE-OTHER Apple OSX Finder DMG volume name memory corruption attempt (file-other.rules)
 * 1:40988 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:44647 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:19006 <-> DISABLED <-> SERVER-OTHER HP Data Protector Express DtbClsLogin buffer overflow attempt (server-other.rules)
 * 1:31513 <-> DISABLED <-> BROWSER-FIREFOX Multiple browser pressure function denial of service attempt (browser-firefox.rules)