Talos Rules 2018-05-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the deleted, file-image, file-pdf, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)

Modified Rules:


 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (snort3-server-other.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (snort3-os-windows.rules)
 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (snort3-os-windows.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (snort3-server-other.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (snort3-deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (snort3-server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (snort3-server-webapp.rules)
 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (snort3-server-webapp.rules)

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46468 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install invalid init discovery message denial of service attempt (server-other.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)

Modified Rules:


 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)

2018-05-01 12:55:21 UTC

Snort Subscriber Rules Update

Date: 2018-05-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46461 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46463 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46465 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46462 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:46096 <-> ENABLED <-> SERVER-OTHER Cisco Smart Install init discovery message stack buffer overflow attempt (server-other.rules)
 * 1:46467 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46466 <-> ENABLED <-> OS-WINDOWS Windows NTFS NtfsFindExistingLcb denial of service attempt (os-windows.rules)
 * 1:46464 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:46097 <-> DISABLED <-> DELETED SERVER-OTHER deleted attempt (deleted.rules)
 * 1:46454 <-> DISABLED <-> SERVER-WEBAPP Node.js zlib createDeflateRaw denial of service attempt (server-webapp.rules)
 * 3:46459 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46452 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46455 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)
 * 3:46457 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46458 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0588 attack attempt (file-pdf.rules)
 * 3:46453 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0586 attack attempt (file-image.rules)
 * 3:46460 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0585 attack attempt (file-image.rules)
 * 3:46456 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0587 attack attempt (file-image.rules)

Modified Rules:


 * 1:37953 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx cross site scripting attempt (server-webapp.rules)
 * 1:13928 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-WEBAPP Multiple products HTTP connection header overflow attempt (server-webapp.rules)
 * 1:13929 <-> DISABLED <-> SERVER-WEBAPP Adobe RoboHelp rx SQL injection attempt (server-webapp.rules)