Talos Rules 2018-02-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-other, file-pdf, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-02-08 15:35:46 UTC

Snort Subscriber Rules Update

Date: 2018-02-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules)
 * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules)
 * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
 * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules)
 * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
 * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)

2018-02-08 15:35:46 UTC

Snort Subscriber Rules Update

Date: 2018-02-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
 * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
 * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules)
 * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
 * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)

2018-02-08 15:35:46 UTC

Snort Subscriber Rules Update

Date: 2018-02-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules)
 * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
 * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules)
 * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
 * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)

2018-02-08 15:35:46 UTC

Snort Subscriber Rules Update

Date: 2018-02-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45618 <-> DISABLED <-> PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 1:45612 <-> DISABLED <-> PROTOCOL-TFTP WRITE long filename attempt (protocol-tftp.rules)
 * 1:45593 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45620 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45619 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SxView record memory pointer corruption attempt (file-office.rules)
 * 1:45595 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45615 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45617 <-> ENABLED <-> SERVER-WEBAPP HP IMC WebDMServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45611 <-> DISABLED <-> PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt (protocol-snmp.rules)
 * 1:45613 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 1:45594 <-> ENABLED <-> FILE-FLASH Adobe PSDK DRM Manager memory corruption attempt (file-flash.rules)
 * 1:45616 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movieclip duplicateMovieClip use-after-free attempt (file-flash.rules)
 * 1:45614 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Selection.SetSelection use-after-free attempt (file-flash.rules)
 * 3:45621 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
 * 3:45622 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Central recvbackup.cgi command injection attempt (server-webapp.rules)
 * 3:45623 <-> ENABLED <-> SERVER-WEBAPP Cisco RV132W and RV134W routers command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:30849 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:518 <-> DISABLED <-> PROTOCOL-TFTP Put (protocol-tftp.rules)
 * 1:35439 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 1:29675 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:43579 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:41005 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:43580 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion attempt (browser-ie.rules)
 * 1:27875 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (indicator-obfuscation.rules)
 * 1:41004 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader QOSProvider object use after free attempt (file-flash.rules)
 * 1:35438 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox JavaScript engine integer overflow attempt (browser-firefox.rules)
 * 3:45575 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)
 * 3:45596 <-> ENABLED <-> SERVER-OTHER Cisco ASA VPN aggregateAuthDataHandler double free attempt (server-other.rules)