Talos Rules 2018-08-30
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-other, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-08-30 12:55:01 UTC

Snort Subscriber Rules Update

Date: 2018-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47670 <-> DISABLED <-> SERVER-WEBAPP LSIS wXP arbitrary file upload attempt (server-webapp.rules)
 * 1:47669 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP with Spritz directory traversal attempt (server-webapp.rules)
 * 1:47668 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin WP with Spritz remote file include attempt (server-webapp.rules)
 * 1:47667 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 1:47666 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 1:47683 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47682 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Torpplar variant outbound connection (malware-cnc.rules)
 * 1:47676 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47675 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
 * 1:47673 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup NetworkInterfaceService.pm command injection attempt (server-webapp.rules)
 * 1:47672 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS logtable.php command injection attempt (server-webapp.rules)
 * 1:47671 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailAlertsService.pm command injection attempt (server-webapp.rules)
 * 3:47680 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47681 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47677 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer hidden webmin credentials login attempt (server-webapp.rules)
 * 3:47679 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47655 <-> ENABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules)

2018-08-30 12:55:01 UTC

Snort Subscriber Rules Update

Date: 2018-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Torpplar variant outbound connection (malware-cnc.rules)
 * 1:47682 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47666 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 1:47668 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin WP with Spritz remote file include attempt (server-webapp.rules)
 * 1:47669 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP with Spritz directory traversal attempt (server-webapp.rules)
 * 1:47683 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47673 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup NetworkInterfaceService.pm command injection attempt (server-webapp.rules)
 * 1:47671 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailAlertsService.pm command injection attempt (server-webapp.rules)
 * 1:47672 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS logtable.php command injection attempt (server-webapp.rules)
 * 1:47676 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
 * 1:47675 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47670 <-> DISABLED <-> SERVER-WEBAPP LSIS wXP arbitrary file upload attempt (server-webapp.rules)
 * 1:47667 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 3:47681 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47679 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47680 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47677 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer hidden webmin credentials login attempt (server-webapp.rules)

Modified Rules:


 * 1:47655 <-> ENABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules)

2018-08-30 12:55:01 UTC

Snort Subscriber Rules Update

Date: 2018-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47671 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailAlertsService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47669 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP with Spritz directory traversal attempt (snort3-server-webapp.rules)
 * 1:47670 <-> DISABLED <-> SERVER-WEBAPP LSIS wXP arbitrary file upload attempt (snort3-server-webapp.rules)
 * 1:47668 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin WP with Spritz remote file include attempt (snort3-server-webapp.rules)
 * 1:47678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Torpplar variant outbound connection (snort3-malware-cnc.rules)
 * 1:47667 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:47682 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (snort3-file-other.rules)
 * 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47676 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (snort3-server-webapp.rules)
 * 1:47672 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS logtable.php command injection attempt (snort3-server-webapp.rules)
 * 1:47675 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (snort3-server-webapp.rules)
 * 1:47683 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (snort3-file-other.rules)
 * 1:47666 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:47673 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup NetworkInterfaceService.pm command injection attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:47655 <-> ENABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (snort3-server-webapp.rules)

2018-08-30 12:55:01 UTC

Snort Subscriber Rules Update

Date: 2018-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47673 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup NetworkInterfaceService.pm command injection attempt (server-webapp.rules)
 * 1:47668 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin WP with Spritz remote file include attempt (server-webapp.rules)
 * 1:47678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Torpplar variant outbound connection (malware-cnc.rules)
 * 1:47675 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47672 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS logtable.php command injection attempt (server-webapp.rules)
 * 1:47670 <-> DISABLED <-> SERVER-WEBAPP LSIS wXP arbitrary file upload attempt (server-webapp.rules)
 * 1:47683 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47682 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF EmfPlusRegionNodePath out of bounds read attempt (file-other.rules)
 * 1:47676 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47667 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 1:47671 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailAlertsService.pm command injection attempt (server-webapp.rules)
 * 1:47669 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP with Spritz directory traversal attempt (server-webapp.rules)
 * 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
 * 1:47666 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 3:47677 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer hidden webmin credentials login attempt (server-webapp.rules)
 * 3:47681 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47679 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47680 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47655 <-> ENABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules)

2018-08-30 12:55:01 UTC

Snort Subscriber Rules Update

Date: 2018-08-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47666 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 1:47675 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47673 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup NetworkInterfaceService.pm command injection attempt (server-webapp.rules)
 * 1:47670 <-> DISABLED <-> SERVER-WEBAPP LSIS wXP arbitrary file upload attempt (server-webapp.rules)
 * 1:47674 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EncryptionService.pm command injection attempt (server-webapp.rules)
 * 1:47671 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailAlertsService.pm command injection attempt (server-webapp.rules)
 * 1:47676 <-> DISABLED <-> SERVER-WEBAPP Cogent DataHub SQL injection attempt (server-webapp.rules)
 * 1:47678 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Torpplar variant outbound connection (malware-cnc.rules)
 * 1:47668 <-> DISABLED <-> SERVER-WEBAPP WordPress plugin WP with Spritz remote file include attempt (server-webapp.rules)
 * 1:47672 <-> DISABLED <-> SERVER-WEBAPP TerraMaster NAS logtable.php command injection attempt (server-webapp.rules)
 * 1:47667 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader JBIG malformed adaptive template pixel out-of-bounds read attempt (file-pdf.rules)
 * 1:47669 <-> DISABLED <-> SERVER-WEBAPP Wordpress plugin WP with Spritz directory traversal attempt (server-webapp.rules)
 * 3:47680 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47677 <-> ENABLED <-> SERVER-WEBAPP Dell SonicWall Scrutinizer hidden webmin credentials login attempt (server-webapp.rules)
 * 3:47679 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)
 * 3:47681 <-> ENABLED <-> SERVER-WEBAPP Cisco TelePresence command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:47655 <-> ENABLED <-> SERVER-WEBAPP Joomla PostInstall Message SQL injection attempt (server-webapp.rules)