Talos Rules 2017-01-31
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, deleted, file-executable, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other, protocol-dns, server-iis, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-01-31 21:29:16 UTC

Snort Subscriber Rules Update

Date: 2017-01-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41426 <-> DISABLED <-> DELETED c01c302e-569e-442b-91e9-d5b704fc185a (deleted.rules)
 * 1:41425 <-> DISABLED <-> DELETED d1b67879-1a2c-4dbc-a10e-762d2285e112 (deleted.rules)
 * 1:41481 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41480 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41462 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41432 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41430 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41431 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41428 <-> DISABLED <-> DELETED 7232f6e9-fa36-4db1-9afe-e60b0773be70 (deleted.rules)
 * 1:41429 <-> DISABLED <-> DELETED d4540486-7de3-432c-98f8-acec00e73c0e (deleted.rules)
 * 1:41427 <-> DISABLED <-> DELETED 4487139a-1bbc-4d99-b624-66c64fa6c17e (deleted.rules)
 * 1:41418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibrio file download - 4g3vg334 (malware-cnc.rules)
 * 1:41486 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41422 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41479 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41482 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41483 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41484 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - result (malware-cnc.rules)
 * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41433 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41423 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41439 <-> ENABLED <-> MALWARE-CNC Dos.Tool.LOIC variant IRC command detected (malware-cnc.rules)
 * 1:41441 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - X-Mas (blacklist.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection attempt (malware-cnc.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41445 <-> DISABLED <-> SERVER-OTHER QNAP remote buffer overflow attempt (server-other.rules)
 * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules)
 * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41452 <-> ENABLED <-> MALWARE-CNC Swf.Tool.Agent flash file in a word document uploading system capabilities (malware-cnc.rules)
 * 1:41453 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41456 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41457 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41485 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - 987t67g (malware-cnc.rules)
 * 1:41464 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41463 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41473 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41472 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41465 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 3:41448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41471 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41470 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41466 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0278 attack attempt (server-other.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:41447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)

Modified Rules:


 * 1:32717 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41338 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:13472 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules)
 * 1:21817 <-> DISABLED <-> PROTOCOL-DNS excessive queries of type ANY - potential DoS (protocol-dns.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:41341 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:17648 <-> DISABLED <-> SERVER-IIS source code disclosure attempt (server-iis.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:32716 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:13474 <-> DISABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 1:41339 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41340 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)

2017-01-31 21:29:16 UTC

Snort Subscriber Rules Update

Date: 2017-01-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules)
 * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules)
 * 1:41445 <-> DISABLED <-> SERVER-OTHER QNAP remote buffer overflow attempt (server-other.rules)
 * 1:41423 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41422 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41425 <-> DISABLED <-> DELETED d1b67879-1a2c-4dbc-a10e-762d2285e112 (deleted.rules)
 * 1:41427 <-> DISABLED <-> DELETED 4487139a-1bbc-4d99-b624-66c64fa6c17e (deleted.rules)
 * 1:41428 <-> DISABLED <-> DELETED 7232f6e9-fa36-4db1-9afe-e60b0773be70 (deleted.rules)
 * 1:41430 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41429 <-> DISABLED <-> DELETED d4540486-7de3-432c-98f8-acec00e73c0e (deleted.rules)
 * 1:41432 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41426 <-> DISABLED <-> DELETED c01c302e-569e-442b-91e9-d5b704fc185a (deleted.rules)
 * 1:41431 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41433 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41439 <-> ENABLED <-> MALWARE-CNC Dos.Tool.LOIC variant IRC command detected (malware-cnc.rules)
 * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41441 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - X-Mas (blacklist.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection attempt (malware-cnc.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41452 <-> ENABLED <-> MALWARE-CNC Swf.Tool.Agent flash file in a word document uploading system capabilities (malware-cnc.rules)
 * 1:41453 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41456 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41457 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41462 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41463 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41464 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41486 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41485 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41484 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41483 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41482 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41481 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41480 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41479 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - result (malware-cnc.rules)
 * 1:41477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibrio file download - 4g3vg334 (malware-cnc.rules)
 * 1:41475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - 987t67g (malware-cnc.rules)
 * 1:41474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41465 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41472 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41473 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 3:41470 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41471 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41466 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0278 attack attempt (server-other.rules)
 * 3:41447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)

Modified Rules:


 * 1:41340 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:41341 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:21817 <-> DISABLED <-> PROTOCOL-DNS excessive queries of type ANY - potential DoS (protocol-dns.rules)
 * 1:13472 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules)
 * 1:32716 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:32717 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41339 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41338 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:13474 <-> DISABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 1:17648 <-> DISABLED <-> SERVER-IIS source code disclosure attempt (server-iis.rules)
 * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)

2017-01-31 21:29:16 UTC

Snort Subscriber Rules Update

Date: 2017-01-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41486 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41485 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField antiAliasType use after free attempt (file-flash.rules)
 * 1:41484 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41483 <-> DISABLED <-> FILE-OTHER LexMark Perceptive Document Filters BZIP2 convert out of bounds write attempt (file-other.rules)
 * 1:41482 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41481 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41480 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41479 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:41478 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - result (malware-cnc.rules)
 * 1:41477 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vibrio file download - 4g3vg334 (malware-cnc.rules)
 * 1:41476 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky payload download - 987t67g (malware-cnc.rules)
 * 1:41475 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41474 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:41473 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41472 <-> ENABLED <-> FILE-FLASH Adobe Flash Player broker arbitrary file write attempt (file-flash.rules)
 * 1:41465 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41464 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41463 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41462 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Win32 Divide Error Exception Denial of Service attempt (file-executable.rules)
 * 1:41461 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41460 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41459 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41458 <-> ENABLED <-> MALWARE-CNC Osx.Keylogger.Elite variant outbound connection (malware-cnc.rules)
 * 1:41457 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41456 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Elite Keylogger (blacklist.rules)
 * 1:41455 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41454 <-> DISABLED <-> SERVER-WEBAPP Advantech WebAccess updateTemplate SQL injection attempt (server-webapp.rules)
 * 1:41453 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:41452 <-> ENABLED <-> MALWARE-CNC Swf.Tool.Agent flash file in a word document uploading system capabilities (malware-cnc.rules)
 * 1:41451 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41450 <-> DISABLED <-> BROWSER-IE Internet Explorer CElement object use after free attempt (browser-ie.rules)
 * 1:41449 <-> DISABLED <-> SQL use of sleep function with and - likely SQL injection (sql.rules)
 * 1:41446 <-> ENABLED <-> SERVER-WEBAPP Cisco Meraki default admin credentials attempt (server-webapp.rules)
 * 1:41445 <-> DISABLED <-> SERVER-OTHER QNAP remote buffer overflow attempt (server-other.rules)
 * 1:41444 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41443 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection attempt (malware-cnc.rules)
 * 1:41442 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.X-Mas outbound connection attempt (malware-cnc.rules)
 * 1:41441 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - X-Mas (blacklist.rules)
 * 1:41440 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:41439 <-> ENABLED <-> MALWARE-CNC Dos.Tool.LOIC variant IRC command detected (malware-cnc.rules)
 * 1:41438 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41437 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41436 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41435 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41434 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Oilrig variant outbound connection (malware-cnc.rules)
 * 1:41433 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41432 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41431 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41430 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize function use after free memory corruption vulnerability attempt (server-webapp.rules)
 * 1:41429 <-> DISABLED <-> DELETED d4540486-7de3-432c-98f8-acec00e73c0e (deleted.rules)
 * 1:41428 <-> DISABLED <-> DELETED 7232f6e9-fa36-4db1-9afe-e60b0773be70 (deleted.rules)
 * 1:41427 <-> DISABLED <-> DELETED 4487139a-1bbc-4d99-b624-66c64fa6c17e (deleted.rules)
 * 1:41426 <-> DISABLED <-> DELETED c01c302e-569e-442b-91e9-d5b704fc185a (deleted.rules)
 * 1:41425 <-> DISABLED <-> DELETED d1b67879-1a2c-4dbc-a10e-762d2285e112 (deleted.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41423 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41422 <-> DISABLED <-> BROWSER-PLUGINS Mozilla Firefox generatecrmfrequest policy function call access attempt (browser-plugins.rules)
 * 1:41421 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41420 <-> ENABLED <-> SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt (server-webapp.rules)
 * 1:41419 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 1:41418 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection type confusion attempt (file-flash.rules)
 * 3:41447 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41448 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0275 attack attempt (file-other.rules)
 * 3:41466 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0278 attack attempt (server-other.rules)
 * 3:41467 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0276 TALOS-2017-0277 attack attempt (server-other.rules)
 * 3:41468 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41469 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2017-0272 attack attempt (file-office.rules)
 * 3:41470 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)
 * 3:41471 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2016-0242 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:13472 <-> DISABLED <-> FILE-OFFICE Microsoft Works file converter field length invalid chunk size buffer overflow attempt (file-office.rules)
 * 1:17648 <-> DISABLED <-> SERVER-IIS source code disclosure attempt (server-iis.rules)
 * 1:19319 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack (malware-other.rules)
 * 1:19318 <-> DISABLED <-> MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack (malware-other.rules)
 * 1:21817 <-> DISABLED <-> PROTOCOL-DNS excessive queries of type ANY - potential DoS (protocol-dns.rules)
 * 1:32717 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:32716 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 7 CTreeNode object remote code execution attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:41338 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41339 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41340 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41341 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP1 segment out of bounds memory access attempt (file-image.rules)
 * 1:41409 <-> DISABLED <-> POLICY-OTHER Cisco WebEx explicit use of web plugin (policy-other.rules)
 * 1:13474 <-> DISABLED <-> OS-WINDOWS Microsoft WebDAV MiniRedir remote code execution attempt (os-windows.rules)
 * 3:41213 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2016-0265 attack attempt (server-other.rules)