Talos Rules 2018-09-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-image, file-office, file-other, malware-backdoor and protocol-dns rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-09-25 15:42:24 UTC

Snort Subscriber Rules Update

Date: 2018-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)

Modified Rules:


 * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)

2018-09-25 15:42:24 UTC

Snort Subscriber Rules Update

Date: 2018-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)

Modified Rules:


 * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)

2018-09-25 15:42:24 UTC

Snort Subscriber Rules Update

Date: 2018-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (snort3-file-office.rules)
 * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (snort3-file-other.rules)
 * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (snort3-file-office.rules)
 * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (snort3-file-other.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (snort3-file-other.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (snort3-file-other.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (snort3-protocol-dns.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules)

Modified Rules:


 * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (snort3-malware-backdoor.rules)

2018-09-25 15:42:24 UTC

Snort Subscriber Rules Update

Date: 2018-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules)
 * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)

Modified Rules:


 * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)

2018-09-25 15:42:24 UTC

Snort Subscriber Rules Update

Date: 2018-09-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47890 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 1:47883 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47881 <-> DISABLED <-> PROTOCOL-DNS dnsmasq add_pseudoheader memory leak attempt (protocol-dns.rules)
 * 1:47882 <-> DISABLED <-> FILE-OTHER Ghostscript -dSAFER sandbox bypass attempt (file-other.rules)
 * 1:47886 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47885 <-> DISABLED <-> FILE-OTHER Microsoft Windows JET Database Engine out-of-bounds write attempt (file-other.rules)
 * 1:47887 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47888 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows JET Database Engine ActiveX clsid access attempt (browser-plugins.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47884 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro EMF image conversion memory corruption attempt (file-other.rules)
 * 1:47889 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel invalid Window2 BIFF record value attempt (file-office.rules)
 * 3:47880 <-> ENABLED <-> POLICY-OTHER Cisco Video Surveillance Operations Manager default password use attempt (policy-other.rules)

Modified Rules:


 * 1:23341 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection (malware-backdoor.rules)