Talos Rules 2019-02-14
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-office, file-other, file-pdf, malware-cnc, malware-other, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-02-14 15:18:33 UTC

Snort Subscriber Rules Update

Date: 2019-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49194 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:49193 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49192 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49208 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 1:49207 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 1:49204 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49203 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49202 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49201 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49200 <-> DISABLED <-> FILE-OTHER Microsoft Windows VCF arbitrary code execution attempt (file-other.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:49197 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49196 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 3:49210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)
 * 3:49198 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0783 attack attempt (server-webapp.rules)
 * 3:49209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)
 * 3:49206 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)
 * 3:49205 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)

Modified Rules:


 * 1:49100 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server NTLM relay attack attempt (server-other.rules)
 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)

2019-02-14 15:18:33 UTC

Snort Subscriber Rules Update

Date: 2019-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49201 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49208 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 1:49200 <-> DISABLED <-> FILE-OTHER Microsoft Windows VCF arbitrary code execution attempt (file-other.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:49202 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49192 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49194 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:49196 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49203 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49204 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49207 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 1:49197 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49193 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 3:49198 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0783 attack attempt (server-webapp.rules)
 * 3:49205 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)
 * 3:49206 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)
 * 3:49209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)
 * 3:49210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)

Modified Rules:


 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)
 * 1:49100 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server NTLM relay attack attempt (server-other.rules)

2019-02-14 15:18:33 UTC

Snort Subscriber Rules Update

Date: 2019-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49194 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (snort3-pua-other.rules)
 * 1:49202 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (snort3-file-pdf.rules)
 * 1:49208 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (snort3-malware-cnc.rules)
 * 1:49207 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (snort3-malware-cnc.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (snort3-file-other.rules)
 * 1:49192 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:49201 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (snort3-file-pdf.rules)
 * 1:49203 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49193 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (snort3-file-pdf.rules)
 * 1:49196 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (snort3-file-pdf.rules)
 * 1:49200 <-> DISABLED <-> FILE-OTHER Microsoft Windows VCF arbitrary code execution attempt (snort3-file-other.rules)
 * 1:49197 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (snort3-file-pdf.rules)
 * 1:49204 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (snort3-server-other.rules)

Modified Rules:


 * 1:49100 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server NTLM relay attack attempt (snort3-server-other.rules)
 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (snort3-malware-other.rules)

2019-02-14 15:18:33 UTC

Snort Subscriber Rules Update

Date: 2019-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49207 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 1:49208 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 1:49203 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49193 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49194 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:49204 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49202 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49200 <-> DISABLED <-> FILE-OTHER Microsoft Windows VCF arbitrary code execution attempt (file-other.rules)
 * 1:49201 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:49196 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49197 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49192 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 3:49198 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0783 attack attempt (server-webapp.rules)
 * 3:49205 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)
 * 3:49206 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)
 * 3:49209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)
 * 3:49210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)

Modified Rules:


 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)
 * 1:49100 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server NTLM relay attack attempt (server-other.rules)

2019-02-14 15:18:33 UTC

Snort Subscriber Rules Update

Date: 2019-02-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49208 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 1:49202 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49197 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49192 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49200 <-> DISABLED <-> FILE-OTHER Microsoft Windows VCF arbitrary code execution attempt (file-other.rules)
 * 1:49199 <-> DISABLED <-> FILE-OTHER Microsoft Windows Contact file arbitrary code execution attempt (file-other.rules)
 * 1:49196 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript defineProperty memory corruption attempt (file-pdf.rules)
 * 1:49194 <-> ENABLED <-> PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt (pua-other.rules)
 * 1:49201 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript memory corruption attempt (file-pdf.rules)
 * 1:49193 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory corruption attempt (file-pdf.rules)
 * 1:49203 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49195 <-> DISABLED <-> SERVER-OTHER Multiple products runc arbitrary code execution attempt (server-other.rules)
 * 1:49204 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript out-of-bounds read attempt (file-pdf.rules)
 * 1:49207 <-> ENABLED <-> MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt (malware-cnc.rules)
 * 3:49198 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0783 attack attempt (server-webapp.rules)
 * 3:49205 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)
 * 3:49206 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0779 attack attempt (file-other.rules)
 * 3:49209 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)
 * 3:49210 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0780 attack attempt (file-office.rules)

Modified Rules:


 * 1:47077 <-> ENABLED <-> MALWARE-OTHER HTA script hidden window execution attempt (malware-other.rules)
 * 1:49100 <-> DISABLED <-> SERVER-OTHER Microsoft Exchange Server NTLM relay attack attempt (server-other.rules)