Talos Rules 2018-02-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-webkit, file-office, file-other, file-pdf, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-02-22 18:42:10 UTC

Snort Subscriber Rules Update

Date: 2018-02-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45726 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45725 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45737 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 1:45736 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 1:45735 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45734 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45733 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45732 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45728 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45727 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 3:45710 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45709 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45706 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45714 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45697 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45712 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45698 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45717 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45711 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45731 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules)
 * 3:45730 <-> ENABLED <-> SERVER-OTHER Cisco TelePresence TC and TE software authentication bypass attempt (server-other.rules)
 * 3:45729 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager appuserFindList.do access detected (policy-other.rules)
 * 3:45718 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45707 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45708 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45699 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45700 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45701 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45716 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45702 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45703 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45704 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45715 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45705 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45713 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)

Modified Rules:


 * 1:40943 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40942 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)

2018-02-22 18:42:10 UTC

Snort Subscriber Rules Update

Date: 2018-02-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45726 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45725 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45732 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45733 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45735 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45734 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45737 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 1:45736 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 1:45724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45728 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45727 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 3:45713 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45730 <-> ENABLED <-> SERVER-OTHER Cisco TelePresence TC and TE software authentication bypass attempt (server-other.rules)
 * 3:45731 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules)
 * 3:45718 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45714 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45712 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45716 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45715 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45705 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45711 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45710 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45697 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45698 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45717 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45729 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager appuserFindList.do access detected (policy-other.rules)
 * 3:45707 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45709 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45699 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45708 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45700 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45701 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45702 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45706 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45703 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45704 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)

Modified Rules:


 * 1:40943 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40942 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)

2018-02-22 18:42:10 UTC

Snort Subscriber Rules Update

Date: 2018-02-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45733 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (snort3-browser-webkit.rules)
 * 1:45725 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (snort3-file-pdf.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (snort3-server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (snort3-server-webapp.rules)
 * 1:45727 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (snort3-file-pdf.rules)
 * 1:45728 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45732 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (snort3-browser-webkit.rules)
 * 1:45734 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (snort3-browser-webkit.rules)
 * 1:45737 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (snort3-file-pdf.rules)
 * 1:45735 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (snort3-browser-webkit.rules)
 * 1:45726 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45736 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:40942 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (snort3-file-other.rules)
 * 1:40943 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (snort3-file-other.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (snort3-server-other.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (snort3-server-other.rules)

2018-02-22 18:42:10 UTC

Snort Subscriber Rules Update

Date: 2018-02-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45725 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45732 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45733 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45727 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45736 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 1:45726 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45735 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45737 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45734 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45728 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 3:45715 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45713 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45697 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45716 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45714 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45706 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45698 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45699 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45710 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45700 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45701 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45707 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45702 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45729 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager appuserFindList.do access detected (policy-other.rules)
 * 3:45705 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45730 <-> ENABLED <-> SERVER-OTHER Cisco TelePresence TC and TE software authentication bypass attempt (server-other.rules)
 * 3:45731 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules)
 * 3:45718 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45703 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45712 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45704 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45717 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45711 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45709 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45708 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)

Modified Rules:


 * 1:40942 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40943 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)

2018-02-22 18:42:10 UTC

Snort Subscriber Rules Update

Date: 2018-02-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45721 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45722 <-> DISABLED <-> SERVER-WEBAPP Ulterius web server directory traversal attempt (server-webapp.rules)
 * 1:45719 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45733 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45726 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45724 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45725 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45732 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45735 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45728 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45723 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45720 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader OCG heap overflow attempt (file-pdf.rules)
 * 1:45727 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader byte order mark out of bounds read attempt (file-pdf.rules)
 * 1:45737 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 1:45734 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit button first-letter style rendering code execution attempt (browser-webkit.rules)
 * 1:45736 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG2 decoder use after free attempt (file-pdf.rules)
 * 3:45731 <-> ENABLED <-> SERVER-WEBAPP Cisco Elastic Services Controller authentication bypass attempt (server-webapp.rules)
 * 3:45730 <-> ENABLED <-> SERVER-OTHER Cisco TelePresence TC and TE software authentication bypass attempt (server-other.rules)
 * 3:45714 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45729 <-> ENABLED <-> POLICY-OTHER Cisco Unified Communications Manager appuserFindList.do access detected (policy-other.rules)
 * 3:45711 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45712 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45713 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45716 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45697 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45698 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45706 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45708 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45715 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0532 attack attempt (file-pdf.rules)
 * 3:45699 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45710 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45700 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0530 attack attempt (file-other.rules)
 * 3:45701 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45702 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45709 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45703 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45717 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45707 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45718 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0528 attack attempt (file-office.rules)
 * 3:45704 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)
 * 3:45705 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0529 attack attempt (file-other.rules)

Modified Rules:


 * 1:16514 <-> DISABLED <-> SERVER-OTHER Trillian AIM XML tag handling heap buffer overflow attempt (server-other.rules)
 * 1:33655 <-> DISABLED <-> SERVER-OTHER Squid Proxy invalid HTTP response code denial of service attempt (server-other.rules)
 * 1:40942 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)
 * 1:40943 <-> ENABLED <-> FILE-OTHER Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt (file-other.rules)