Talos Rules 2019-03-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-java, file-pdf, malware-cnc, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-03-07 13:47:24 UTC

Snort Subscriber Rules Update

Date: 2019-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules)
 * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules)
 * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)

2019-03-07 13:47:24 UTC

Snort Subscriber Rules Update

Date: 2019-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules)
 * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules)
 * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules)
 * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)

2019-03-07 13:47:24 UTC

Snort Subscriber Rules Update

Date: 2019-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (snort3-file-java.rules)
 * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (snort3-file-java.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (snort3-server-oracle.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (snort3-malware-cnc.rules)
 * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (snort3-file-pdf.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (snort3-server-webapp.rules)

2019-03-07 13:47:24 UTC

Snort Subscriber Rules Update

Date: 2019-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules)
 * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules)
 * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules)
 * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)

2019-03-07 13:47:24 UTC

Snort Subscriber Rules Update

Date: 2019-03-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 1:49351 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc variant outbound connection attempt (malware-cnc.rules)
 * 1:49353 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FrameworkPoc malicious executable download attempt (malware-cnc.rules)
 * 3:49343 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49334 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49348 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49335 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS Fabric Services Protocol stack buffer overflow attempt (server-other.rules)
 * 3:49350 <-> ENABLED <-> SERVER-WEBAPP Cisco NX-OS System Software NX-API command injection attempt (server-webapp.rules)
 * 3:49344 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49339 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49340 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49347 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49346 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49336 <-> ENABLED <-> SERVER-OTHER Cisco FXOS and NX-OS LDAP denial of service attempt (server-other.rules)
 * 3:49342 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49349 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meeting Server cross site scripting attempt (server-webapp.rules)
 * 3:49345 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)
 * 3:49341 <-> ENABLED <-> SERVER-WEBAPP Cisco Identity Services Engine cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:49228 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:41335 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection (malware-cnc.rules)
 * 1:49227 <-> ENABLED <-> FILE-PDF Adobe Acrobat JavaScript engine use after free attempt (file-pdf.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:37805 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)
 * 1:37804 <-> DISABLED <-> FILE-JAVA Oracle Java IntegerInterleavedRaster integer overflow attempt (file-java.rules)