Snort - Network Intrusion Detection & Prevention System

Talos Rules 2017-03-02

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-pdf, indicator-compromise, malware-cnc, malware-tools, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2017-03-02 15:21:30 UTC

Snort Subscriber Rules Update

Date: 2017-03-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41785 <-> DISABLED <-> SERVER-WEBAPP carel plantvisor directory traversal exploitation attempt (server-webapp.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)
 * 1:41779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eye-watch.in - Ratankba (blacklist.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:41776 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41774 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41775 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:41772 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41773 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41777 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41778 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt (protocol-scada.rules)
 * 1:41780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratankba variant outbound connection (malware-cnc.rules)
 * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro TCP DNS query response (malware-cnc.rules)
 * 3:41786 <-> ENABLED <-> SERVER-OTHER Cisco NetFlow Generation Appliance SCTP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:21104 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:40421 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40420 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41692 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux unauthorized authentication token usage attempt (server-webapp.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:40334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)

2983

2017-03-02 15:21:30 UTC

Snort Subscriber Rules Update

Date: 2017-03-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)
 * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratankba variant outbound connection (malware-cnc.rules)
 * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41773 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41775 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41776 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41774 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:41772 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41778 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt (protocol-scada.rules)
 * 1:41785 <-> DISABLED <-> SERVER-WEBAPP carel plantvisor directory traversal exploitation attempt (server-webapp.rules)
 * 1:41787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro TCP DNS query response (malware-cnc.rules)
 * 1:41779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eye-watch.in - Ratankba (blacklist.rules)
 * 1:41777 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 3:41786 <-> ENABLED <-> SERVER-OTHER Cisco NetFlow Generation Appliance SCTP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:41692 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux unauthorized authentication token usage attempt (server-webapp.rules)
 * 1:21104 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:40420 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40421 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)

2990

2017-03-02 15:21:30 UTC

Snort Subscriber Rules Update

Date: 2017-03-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41789 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41788 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro DNS query response (malware-cnc.rules)
 * 1:41787 <-> ENABLED <-> MALWARE-CNC Win.Trojan.PowerMacro TCP DNS query response (malware-cnc.rules)
 * 1:41785 <-> DISABLED <-> SERVER-WEBAPP carel plantvisor directory traversal exploitation attempt (server-webapp.rules)
 * 1:41784 <-> DISABLED <-> INDICATOR-COMPROMISE clorius controls information gathering attempt (indicator-compromise.rules)
 * 1:41783 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit URL outbound communication (exploit-kit.rules)
 * 1:41782 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41781 <-> ENABLED <-> SERVER-WEBAPP carel plantvisorpro3 directory traversal attempt (server-webapp.rules)
 * 1:41780 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ratankba variant outbound connection (malware-cnc.rules)
 * 1:41779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eye-watch.in - Ratankba (blacklist.rules)
 * 1:41778 <-> ENABLED <-> PROTOCOL-SCADA Yokogawa CS3000 BKFSim_vhfd buffer overflow attempt (protocol-scada.rules)
 * 1:41777 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41776 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41775 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41774 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41773 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41772 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41771 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 3:41786 <-> ENABLED <-> SERVER-OTHER Cisco NetFlow Generation Appliance SCTP denial of service attempt (server-other.rules)

Modified Rules:


 * 1:21104 <-> ENABLED <-> MALWARE-TOOLS slowhttptest DoS tool (malware-tools.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:40334 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:40420 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader XML XSL transform exploitation attempt (file-pdf.rules)
 * 1:40421 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:41377 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41378 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer runtimeStyle use-after-free attempt (browser-ie.rules)
 * 1:41692 <-> DISABLED <-> SERVER-WEBAPP McAfee Virus Scan Linux unauthorized authentication token usage attempt (server-webapp.rules)