Talos Rules 2018-04-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-04-26 20:53:26 UTC

Snort Subscriber Rules Update

Date: 2018-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46447 <-> DISABLED <-> POLICY-OTHER TP-Link device reboot attempt (policy-other.rules)
 * 1:46451 <-> ENABLED <-> SERVER-WEBAPP Drupal unsafe internal attribute remote code execution attempt (server-webapp.rules)
 * 1:46450 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch snapshot directory traversal attempt (server-webapp.rules)
 * 1:46449 <-> ENABLED <-> SERVER-OTHER PostgreSQL Empty Password authentication bypass attempt (server-other.rules)
 * 1:46448 <-> DISABLED <-> POLICY-OTHER TP-Link device enable remote management attempt (policy-other.rules)

Modified Rules:


 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)
 * 3:46296 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0570 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)

2018-04-26 20:53:26 UTC

Snort Subscriber Rules Update

Date: 2018-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46447 <-> DISABLED <-> POLICY-OTHER TP-Link device reboot attempt (policy-other.rules)
 * 1:46448 <-> DISABLED <-> POLICY-OTHER TP-Link device enable remote management attempt (policy-other.rules)
 * 1:46449 <-> ENABLED <-> SERVER-OTHER PostgreSQL Empty Password authentication bypass attempt (server-other.rules)
 * 1:46450 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch snapshot directory traversal attempt (server-webapp.rules)
 * 1:46451 <-> ENABLED <-> SERVER-WEBAPP Drupal unsafe internal attribute remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 3:46296 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0570 attack attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)
 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)

2018-04-26 20:53:26 UTC

Snort Subscriber Rules Update

Date: 2018-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46451 <-> ENABLED <-> SERVER-WEBAPP Drupal unsafe internal attribute remote code execution attempt (snort3-server-webapp.rules)
 * 1:46450 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch snapshot directory traversal attempt (snort3-server-webapp.rules)
 * 1:46448 <-> DISABLED <-> POLICY-OTHER TP-Link device enable remote management attempt (snort3-policy-other.rules)
 * 1:46449 <-> ENABLED <-> SERVER-OTHER PostgreSQL Empty Password authentication bypass attempt (snort3-server-other.rules)
 * 1:46447 <-> DISABLED <-> POLICY-OTHER TP-Link device reboot attempt (snort3-policy-other.rules)

Modified Rules:



2018-04-26 20:53:26 UTC

Snort Subscriber Rules Update

Date: 2018-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46449 <-> ENABLED <-> SERVER-OTHER PostgreSQL Empty Password authentication bypass attempt (server-other.rules)
 * 1:46450 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch snapshot directory traversal attempt (server-webapp.rules)
 * 1:46447 <-> DISABLED <-> POLICY-OTHER TP-Link device reboot attempt (policy-other.rules)
 * 1:46448 <-> DISABLED <-> POLICY-OTHER TP-Link device enable remote management attempt (policy-other.rules)
 * 1:46451 <-> ENABLED <-> SERVER-WEBAPP Drupal unsafe internal attribute remote code execution attempt (server-webapp.rules)

Modified Rules:


 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46296 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0570 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)

2018-04-26 20:53:26 UTC

Snort Subscriber Rules Update

Date: 2018-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46447 <-> DISABLED <-> POLICY-OTHER TP-Link device reboot attempt (policy-other.rules)
 * 1:46448 <-> DISABLED <-> POLICY-OTHER TP-Link device enable remote management attempt (policy-other.rules)
 * 1:46451 <-> ENABLED <-> SERVER-WEBAPP Drupal unsafe internal attribute remote code execution attempt (server-webapp.rules)
 * 1:46450 <-> DISABLED <-> SERVER-WEBAPP Elasticsearch snapshot directory traversal attempt (server-webapp.rules)
 * 1:46449 <-> ENABLED <-> SERVER-OTHER PostgreSQL Empty Password authentication bypass attempt (server-other.rules)

Modified Rules:


 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:46079 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0548 attack attempt (server-webapp.rules)
 * 3:46296 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0570 attack attempt (server-webapp.rules)
 * 3:46321 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0574 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
 * 3:46155 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46149 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0554 attack attempt (server-webapp.rules)
 * 3:46319 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0573 attack attempt (server-webapp.rules)
 * 3:46150 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46395 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0578 attack attempt (server-webapp.rules)
 * 3:46320 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0576 attack attempt (policy-other.rules)
 * 3:46154 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46153 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46152 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)
 * 3:46151 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0555 attack attempt (server-webapp.rules)