Talos Rules 2019-06-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the file-image, file-other, file-pdf, malware-cnc, malware-tools, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-06-18 12:22:58 UTC

Snort Subscriber Rules Update

Date: 2019-06-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50449 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50448 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50447 <-> DISABLED <-> POLICY-OTHER HTTP request by IPv4 address attempt (policy-other.rules)
 * 1:50458 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50457 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50456 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.HiddenWasp trojan variant outbound connection (malware-cnc.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:50454 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:50453 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SymCrypt modular inverse algorithm denial of service attempt (os-windows.rules)

Modified Rules:


 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)

2019-06-18 12:22:58 UTC

Snort Subscriber Rules Update

Date: 2019-06-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:50458 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50457 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50456 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.HiddenWasp trojan variant outbound connection (malware-cnc.rules)
 * 1:50454 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:50453 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:50449 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SymCrypt modular inverse algorithm denial of service attempt (os-windows.rules)
 * 1:50447 <-> DISABLED <-> POLICY-OTHER HTTP request by IPv4 address attempt (policy-other.rules)
 * 1:50448 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)

Modified Rules:


 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)

2019-06-18 12:22:58 UTC

Snort Subscriber Rules Update

Date: 2019-06-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50456 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.HiddenWasp trojan variant outbound connection (malware-cnc.rules)
 * 1:50447 <-> DISABLED <-> POLICY-OTHER HTTP request by IPv4 address attempt (policy-other.rules)
 * 1:50448 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50454 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:50450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SymCrypt modular inverse algorithm denial of service attempt (os-windows.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:50453 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:50458 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50449 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50457 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)

Modified Rules:


 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)

2019-06-18 12:22:58 UTC

Snort Subscriber Rules Update

Date: 2019-06-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50457 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (snort3-malware-tools.rules)
 * 1:50456 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.HiddenWasp trojan variant outbound connection (snort3-malware-cnc.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:50454 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (snort3-file-image.rules)
 * 1:50458 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (snort3-malware-tools.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
 * 1:50447 <-> DISABLED <-> POLICY-OTHER HTTP request by IPv4 address attempt (snort3-policy-other.rules)
 * 1:50453 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (snort3-file-image.rules)
 * 1:50449 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (snort3-file-pdf.rules)
 * 1:50450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SymCrypt modular inverse algorithm denial of service attempt (snort3-os-windows.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
 * 1:50448 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (snort3-file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (snort3-file-image.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (snort3-file-image.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (snort3-file-image.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (snort3-file-other.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (snort3-file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (snort3-file-image.rules)

2019-06-18 12:22:58 UTC

Snort Subscriber Rules Update

Date: 2019-06-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50456 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.HiddenWasp trojan variant outbound connection (malware-cnc.rules)
 * 1:50454 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:50448 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50447 <-> DISABLED <-> POLICY-OTHER HTTP request by IPv4 address attempt (policy-other.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50457 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50449 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50453 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:50458 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SymCrypt modular inverse algorithm denial of service attempt (os-windows.rules)

Modified Rules:


 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)

2019-06-18 12:22:58 UTC

Snort Subscriber Rules Update

Date: 2019-06-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50457 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50449 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50448 <-> ENABLED <-> FILE-PDF Adobe Acrobat double free attempt (file-pdf.rules)
 * 1:50455 <-> ENABLED <-> SERVER-WEBAPP IBM WebSphere Application Server remote code execution attempt (server-webapp.rules)
 * 1:50447 <-> DISABLED <-> POLICY-OTHER HTTP request by IPv4 address attempt (policy-other.rules)
 * 1:50450 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SymCrypt modular inverse algorithm denial of service attempt (os-windows.rules)
 * 1:50453 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:50454 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:50458 <-> ENABLED <-> MALWARE-TOOLS Unix.Downloader.HiddenWasp initial deployment script download attempt (malware-tools.rules)
 * 1:50456 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.HiddenWasp trojan variant outbound connection (malware-cnc.rules)
 * 1:50451 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:50452 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)

Modified Rules:


 * 1:27529 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:25811 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27527 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27530 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27525 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:25810 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:25813 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)
 * 1:27526 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical height overflow attempt (file-image.rules)
 * 1:27528 <-> DISABLED <-> FILE-IMAGE Directshow GIF logical width overflow attempt (file-image.rules)
 * 1:25812 <-> DISABLED <-> FILE-OTHER VMWare OVF Tool format string exploit attempt (file-other.rules)