Talos Rules 2018-06-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the indicator-compromise, malware-cnc, os-other, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-06-21 12:32:20 UTC

Snort Subscriber Rules Update

Date: 2018-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules)
 * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules)
 * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules)
 * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules)
 * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules)
 * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
 * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules)
 * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules)
 * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
 * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
 * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
 * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
 * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)

Modified Rules:


 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)

2018-06-21 12:32:20 UTC

Snort Subscriber Rules Update

Date: 2018-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules)
 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules)
 * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules)
 * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
 * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules)
 * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
 * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules)
 * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
 * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules)
 * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
 * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
 * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)

Modified Rules:


 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)

2018-06-21 12:32:20 UTC

Snort Subscriber Rules Update

Date: 2018-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (snort3-os-other.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (snort3-server-webapp.rules)
 * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (snort3-malware-cnc.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (snort3-server-webapp.rules)
 * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (snort3-malware-cnc.rules)
 * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (snort3-malware-cnc.rules)
 * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (snort3-os-other.rules)

Modified Rules:


 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (snort3-server-iis.rules)
 * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules)
 * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (snort3-server-webapp.rules)

2018-06-21 12:32:20 UTC

Snort Subscriber Rules Update

Date: 2018-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules)
 * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules)
 * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
 * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
 * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
 * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules)
 * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules)
 * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules)
 * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
 * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules)
 * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
 * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)

Modified Rules:


 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)

2018-06-21 12:32:20 UTC

Snort Subscriber Rules Update

Date: 2018-06-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47001 <-> ENABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46991 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46990 <-> DISABLED <-> OS-OTHER Apple macOS and iOS fgetattrlist kernel heap overflow attempt (os-other.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47007 <-> DISABLED <-> SERVER-WEBAPP Spring Web Flow arbitrary code exeuction attempt (server-webapp.rules)
 * 1:47005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:47006 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SocketPlayer outbound connection (malware-cnc.rules)
 * 1:46998 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection (malware-cnc.rules)
 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46997 <-> DISABLED <-> SERVER-WEBAPP XiongMai NVR login.htm buffer overflow attempt (server-webapp.rules)
 * 3:47010 <-> ENABLED <-> SERVER-WEBAPP Cisco FX-OS mod_nuova stack buffer overflow attempt (server-webapp.rules)
 * 3:47003 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:47004 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:47013 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:47008 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API ins_api command injection attempt (server-webapp.rules)
 * 3:47012 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
 * 3:46992 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API privilege escalation attempt (server-webapp.rules)
 * 3:46994 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
 * 3:46996 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)
 * 3:46993 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol denial of service attempt (server-other.rules)
 * 3:47014 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV integer overflow attempt (server-other.rules)
 * 3:47009 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS NX-API cli_ascii command injection attempt (server-webapp.rules)
 * 3:47011 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol TLV out of bounds read attempt (server-other.rules)
 * 3:46995 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:24379 <-> DISABLED <-> SERVER-IIS Microsoft Windows IIS FastCGI request header buffer overflow attempt (server-iis.rules)
 * 1:46735 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46736 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)
 * 1:46737 <-> ENABLED <-> SERVER-WEBAPP D-Link DSL-2750B routers login.cgi command injection attempt (server-webapp.rules)