Talos Rules 2018-03-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-03-23 15:07:20 UTC

Snort Subscriber Rules Update

Date: 2018-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mobef variant outbound connection attempt (malware-cnc.rules)
 * 1:46046 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46045 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46044 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46043 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46042 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46041 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46040 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Storage Manager EmConfigMigration servlet directory traversal attempt (server-webapp.rules)

Modified Rules:



2018-03-23 15:07:20 UTC

Snort Subscriber Rules Update

Date: 2018-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46046 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mobef variant outbound connection attempt (malware-cnc.rules)
 * 1:46041 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46042 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46043 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46044 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46045 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46040 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Storage Manager EmConfigMigration servlet directory traversal attempt (server-webapp.rules)

Modified Rules:



2018-03-23 15:07:20 UTC

Snort Subscriber Rules Update

Date: 2018-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46045 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (snort3-server-webapp.rules)
 * 1:46047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mobef variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46041 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (snort3-server-webapp.rules)
 * 1:46042 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (snort3-server-webapp.rules)
 * 1:46043 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (snort3-server-webapp.rules)
 * 1:46044 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (snort3-server-webapp.rules)
 * 1:46046 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (snort3-server-webapp.rules)
 * 1:46040 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Storage Manager EmConfigMigration servlet directory traversal attempt (snort3-server-webapp.rules)

Modified Rules:



2018-03-23 15:07:20 UTC

Snort Subscriber Rules Update

Date: 2018-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mobef variant outbound connection attempt (malware-cnc.rules)
 * 1:46040 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Storage Manager EmConfigMigration servlet directory traversal attempt (server-webapp.rules)
 * 1:46046 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46045 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46044 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46042 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46043 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46041 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)

Modified Rules:



2018-03-23 15:07:20 UTC

Snort Subscriber Rules Update

Date: 2018-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mobef variant outbound connection attempt (malware-cnc.rules)
 * 1:46046 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46041 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46040 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Storage Manager EmConfigMigration servlet directory traversal attempt (server-webapp.rules)
 * 1:46043 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46042 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46044 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)
 * 1:46045 <-> DISABLED <-> SERVER-WEBAPP Joomla Component JMS Music 1.1.1 SQL injection attempt (server-webapp.rules)

Modified Rules: