Talos Rules 2018-08-02
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, malware-cnc, policy-other, protocol-voip, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (snort3-malware-cnc.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (snort3-malware-cnc.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (snort3-pua-adware.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (snort3-server-webapp.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (snort3-server-webapp.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (snort3-policy-other.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (snort3-server-webapp.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (snort3-server-webapp.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (snort3-server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (snort3-file-other.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (snort3-malware-cnc.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (snort3-pua-adware.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (snort3-server-webapp.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (snort3-server-other.rules)

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)

2018-08-02 12:02:11 UTC

Snort Subscriber Rules Update

Date: 2018-08-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47418 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47417 <-> ENABLED <-> PUA-ADWARE Slimware Utilities variant outbound connection (pua-adware.rules)
 * 1:47424 <-> DISABLED <-> SERVER-WEBAPP Site Editor WordPress plugin local file access attempt (server-webapp.rules)
 * 1:47414 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47422 <-> DISABLED <-> FILE-OTHER SAP GUI ABAP code arbitrary dll-load attempt (file-other.rules)
 * 1:47421 <-> DISABLED <-> SERVER-WEBAPP Joomla Core com_fields cross site scripting attempt (server-webapp.rules)
 * 1:47423 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API date_config command injection attempt (server-webapp.rules)
 * 1:47420 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kuping variant outbound connection (malware-cnc.rules)
 * 1:47413 <-> DISABLED <-> POLICY-OTHER Oracle WebLogic T3 inbound connection detected (policy-other.rules)
 * 1:47419 <-> DISABLED <-> SERVER-WEBAPP Easy Hosting Control Panel cross site scripting attempt (server-webapp.rules)
 * 1:47416 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAcess Dashboard Viewer arbitrary file disclosure attempt (server-webapp.rules)
 * 1:47415 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Calisto outbound connection (malware-cnc.rules)
 * 1:47425 <-> DISABLED <-> SERVER-WEBAPP Raptr Plays.tv unauthenticated remote arbitrary file execution attempt (server-webapp.rules)
 * 3:47426 <-> ENABLED <-> PROTOCOL-VOIP Cisco SPA514G SDP field processing denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 1:17391 <-> DISABLED <-> SERVER-OTHER Apache Tomcat UNIX platform backslash directory traversal (server-other.rules)
 * 1:47393 <-> DISABLED <-> SERVER-WEBAPP QNAP QCenter API command injection attempt (server-webapp.rules)