Snort - Network Intrusion Detection & Prevention System

Talos Rules 2017-03-29

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, file-executable, file-office, indicator-obfuscation, malware-cnc, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2017-03-30 01:00:45 UTC

Snort Subscriber Rules Update

Date: 2017-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42113 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:42114 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant new bot registered (malware-cnc.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42109 <-> DISABLED <-> PROTOCOL-SCADA invalid modbus protocol identifier (protocol-scada.rules)
 * 1:42106 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42105 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42108 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42101 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:42103 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42100 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:42102 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules)
 * 1:42107 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42104 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 3:42112 <-> ENABLED <-> BROWSER-OTHER multiple browsers content security policy bypass attempt (browser-other.rules)

Modified Rules:


 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:41109 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:41108 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)

2983

2017-03-30 01:00:45 UTC

Snort Subscriber Rules Update

Date: 2017-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules)
 * 1:42113 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:42109 <-> DISABLED <-> PROTOCOL-SCADA invalid modbus protocol identifier (protocol-scada.rules)
 * 1:42108 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42104 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42105 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42106 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42101 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 1:42100 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:42107 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42103 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42102 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42114 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant new bot registered (malware-cnc.rules)
 * 3:42112 <-> ENABLED <-> BROWSER-OTHER multiple browsers content security policy bypass attempt (browser-other.rules)

Modified Rules:


 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:41109 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:41108 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)

2990

2017-03-30 01:00:45 UTC

Snort Subscriber Rules Update

Date: 2017-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42114 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant new bot registered (malware-cnc.rules)
 * 1:42113 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:42111 <-> DISABLED <-> INDICATOR-OBFUSCATION Base64 encoded String.fromCharCode (indicator-obfuscation.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42109 <-> DISABLED <-> PROTOCOL-SCADA invalid modbus protocol identifier (protocol-scada.rules)
 * 1:42108 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42107 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork module command injection attempt (server-webapp.rules)
 * 1:42106 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42105 <-> DISABLED <-> SERVER-WEBAPP EyesOfNetwork ged_actions.php command injection attempt (server-webapp.rules)
 * 1:42104 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42103 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42102 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SafeSync command injection attempt (server-webapp.rules)
 * 1:42101 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:42100 <-> DISABLED <-> FILE-EXECUTABLE AnC MMU side channel ASLR bypass attack (file-executable.rules)
 * 1:41367 <-> ENABLED <-> SERVER-OTHER NTPD zero origin timestamp denial of service attempt (server-other.rules)
 * 3:42112 <-> ENABLED <-> BROWSER-OTHER multiple browsers content security policy bypass attempt (browser-other.rules)

Modified Rules:


 * 1:40520 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:40521 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)
 * 1:41109 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:41424 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cerber outbound connection attempt (malware-cnc.rules)
 * 1:42030 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant file download attempt (malware-cnc.rules)
 * 1:41108 <-> DISABLED <-> FILE-OFFICE Oracle Outside In Technology image export use after free attempt (file-office.rules)
 * 1:40519 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai variant post compromise download (malware-cnc.rules)