Talos Rules 2018-06-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-chrome, browser-ie, browser-other, browser-webkit, file-multimedia, file-office, indicator-compromise, malware-cnc, malware-other, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-06-26 14:03:18 UTC

Snort Subscriber Rules Update

Date: 2018-06-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules)
 * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules)
 * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules)
 * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules)
 * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules)
 * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
 * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)

Modified Rules:


 * 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)
 * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules)

2018-06-26 14:03:18 UTC

Snort Subscriber Rules Update

Date: 2018-06-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules)
 * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules)
 * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules)
 * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules)
 * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules)
 * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
 * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)

Modified Rules:


 * 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules)

2018-06-26 14:03:18 UTC

Snort Subscriber Rules Update

Date: 2018-06-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (snort3-malware-cnc.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (snort3-browser-chrome.rules)
 * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (snort3-malware-other.rules)
 * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (snort3-indicator-compromise.rules)
 * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (snort3-browser-webkit.rules)
 * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (snort3-browser-webkit.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (snort3-browser-chrome.rules)
 * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (snort3-malware-other.rules)
 * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (snort3-malware-cnc.rules)
 * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (snort3-malware-cnc.rules)
 * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (snort3-malware-cnc.rules)
 * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (snort3-malware-cnc.rules)

Modified Rules:


 * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)

2018-06-26 14:03:18 UTC

Snort Subscriber Rules Update

Date: 2018-06-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules)
 * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules)
 * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules)
 * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules)
 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules)
 * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
 * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)

Modified Rules:


 * 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules)
 * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules)

2018-06-26 14:03:18 UTC

Snort Subscriber Rules Update

Date: 2018-06-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47018 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47019 <-> DISABLED <-> BROWSER-CHROME Google Chrome V8 __defineGetter__ memory corruption attempt (browser-chrome.rules)
 * 1:47025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection (malware-cnc.rules)
 * 1:47017 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CompressionService.pm command injection attempt (server-webapp.rules)
 * 1:47026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47022 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 1:47030 <-> ENABLED <-> MALWARE-CNC Win.Malware.Innaput variant outbound connection (malware-cnc.rules)
 * 1:47024 <-> DISABLED <-> INDICATOR-COMPROMISE Request for external IP address detected (indicator-compromise.rules)
 * 1:47016 <-> ENABLED <-> MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection (malware-cnc.rules)
 * 1:47015 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup PasswordService.pm command injection attempt (server-webapp.rules)
 * 1:47027 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection detected (malware-cnc.rules)
 * 1:47020 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47021 <-> ENABLED <-> MALWARE-OTHER Portable Executable containing CoinHive download attempt (malware-other.rules)
 * 1:47023 <-> ENABLED <-> BROWSER-WEBKIT Apple WebKit memory corruption attempt (browser-webkit.rules)
 * 3:47028 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)
 * 3:47029 <-> ENABLED <-> BROWSER-OTHER TRUFFLEHUNTER TALOS-2018-0621 attack attempt (browser-other.rules)

Modified Rules:


 * 1:46746 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46745 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 3:13667 <-> ENABLED <-> PROTOCOL-DNS dns cache poisoning attempt (protocol-dns.rules)
 * 3:14253 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:13803 <-> ENABLED <-> FILE-OFFICE RTF control word overflow attempt (file-office.rules)
 * 3:13475 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP denial of service attempt (os-windows.rules)
 * 3:16408 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCP SACK invalid range denial of service attempt (os-windows.rules)
 * 3:41547 <-> ENABLED <-> SERVER-OTHER TLS client hello session resumption detected (server-other.rules)
 * 3:15125 <-> ENABLED <-> FILE-OFFICE Microsoft Word rich text file unpaired dpendgroup exploit attempt (file-office.rules)
 * 3:13835 <-> ENABLED <-> OS-WINDOWS Microsoft Active Directory LDAP cookie denial of service attempt (os-windows.rules)
 * 3:14252 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:14254 <-> ENABLED <-> FILE-MULTIMEDIA Windows Media Player malicious playlist buffer overflow attempt (file-multimedia.rules)
 * 3:41548 <-> ENABLED <-> SERVER-OTHER F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt (server-other.rules)
 * 3:31361 <-> ENABLED <-> SERVER-OTHER OpenSSL DTLSv1.0 handshake fragment buffer overrun attempt (server-other.rules)