Talos Rules 2018-03-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, file-pdf, os-windows, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-03-08 16:32:40 UTC

Snort Subscriber Rules Update

Date: 2018-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45865 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45864 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45863 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45862 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45861 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 1:45860 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 1:45859 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45858 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45857 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45856 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45855 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv3 null pointer dereference attempt (os-windows.rules)
 * 1:45853 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:45852 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45851 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45850 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45849 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:45866 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 3:45870 <-> ENABLED <-> SERVER-WEBAPP Cisco ACS unsafe Java object deserialization attempt (server-webapp.rules)

Modified Rules:


 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:3824 <-> DISABLED <-> SERVER-MAIL AUTH user overflow attempt (server-mail.rules)

2018-03-08 16:32:41 UTC

Snort Subscriber Rules Update

Date: 2018-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45866 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:45849 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45853 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:45854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv3 null pointer dereference attempt (os-windows.rules)
 * 1:45852 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45855 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45856 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45857 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45858 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45859 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45860 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 1:45861 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 1:45851 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45865 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:45862 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45863 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45864 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45850 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 3:45870 <-> ENABLED <-> SERVER-WEBAPP Cisco ACS unsafe Java object deserialization attempt (server-webapp.rules)

Modified Rules:


 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:3824 <-> DISABLED <-> SERVER-MAIL AUTH user overflow attempt (server-mail.rules)

2018-03-08 16:32:41 UTC

Snort Subscriber Rules Update

Date: 2018-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (snort3-file-pdf.rules)
 * 1:45869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (snort3-file-pdf.rules)
 * 1:45868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (snort3-file-pdf.rules)
 * 1:45855 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (snort3-file-other.rules)
 * 1:45862 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (snort3-file-pdf.rules)
 * 1:45852 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (snort3-file-other.rules)
 * 1:45860 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (snort3-file-other.rules)
 * 1:45861 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (snort3-file-other.rules)
 * 1:45858 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (snort3-server-webapp.rules)
 * 1:45859 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (snort3-server-webapp.rules)
 * 1:45857 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (snort3-server-webapp.rules)
 * 1:45853 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (snort3-server-other.rules)
 * 1:45856 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (snort3-file-other.rules)
 * 1:45854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv3 null pointer dereference attempt (snort3-os-windows.rules)
 * 1:45851 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (snort3-file-other.rules)
 * 1:45850 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (snort3-file-other.rules)
 * 1:45849 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (snort3-file-other.rules)
 * 1:45866 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (snort3-file-pdf.rules)
 * 1:45864 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (snort3-file-pdf.rules)
 * 1:45865 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (snort3-file-pdf.rules)
 * 1:45863 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:3824 <-> DISABLED <-> SERVER-MAIL AUTH user overflow attempt (snort3-server-mail.rules)
 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (snort3-server-other.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (snort3-file-other.rules)

2018-03-08 16:32:41 UTC

Snort Subscriber Rules Update

Date: 2018-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45851 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45866 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:45865 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45861 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 1:45862 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45855 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45852 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45858 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45856 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45849 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45857 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45859 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:45864 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45850 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45863 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45853 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:45854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv3 null pointer dereference attempt (os-windows.rules)
 * 1:45860 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 3:45870 <-> ENABLED <-> SERVER-WEBAPP Cisco ACS unsafe Java object deserialization attempt (server-webapp.rules)

Modified Rules:


 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:3824 <-> DISABLED <-> SERVER-MAIL AUTH user overflow attempt (server-mail.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)

2018-03-08 16:32:41 UTC

Snort Subscriber Rules Update

Date: 2018-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45867 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:45850 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45853 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:45869 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45868 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader getAnnotsRichMedia return type confusion attempt (file-pdf.rules)
 * 1:45852 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45855 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45856 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF out of bounds write attempt (file-other.rules)
 * 1:45857 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45858 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45859 <-> DISABLED <-> SERVER-WEBAPP HPE Intelligent Management Center Platform /rptviewer/servlets/redirectviewer directory traversal attempt (server-webapp.rules)
 * 1:45860 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 1:45854 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv3 null pointer dereference attempt (os-windows.rules)
 * 1:45851 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 1:45861 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS malformed TIFF data out of bounds access attempt (file-other.rules)
 * 1:45862 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45866 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader invalid trailer memory corruption attempt (file-pdf.rules)
 * 1:45863 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45864 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45865 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader bookmarkRoot memory corruption attempt (file-pdf.rules)
 * 1:45849 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro EMF malformed bitmap rectangle destination out of bounds read attempt (file-other.rules)
 * 3:45870 <-> ENABLED <-> SERVER-WEBAPP Cisco ACS unsafe Java object deserialization attempt (server-webapp.rules)

Modified Rules:


 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:3824 <-> DISABLED <-> SERVER-MAIL AUTH user overflow attempt (server-mail.rules)
 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)