Snort - Network Intrusion Detection & Prevention System

Talos Rules 2017-06-15

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-office, file-other, malware-cnc, os-solaris, protocol-rpc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2983

2017-06-15 19:36:11 UTC

Snort Subscriber Rules Update

Date: 2017-06-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43178 <-> DISABLED <-> SERVER-WEBAPP VICIdial user_authorization command injection attempt (server-webapp.rules)
 * 1:43184 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsnu variant outbound conection (malware-cnc.rules)
 * 1:43181 <-> ENABLED <-> FILE-OTHER Oniguruma expression parser out of bounds write attempt (file-other.rules)
 * 1:43180 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules)
 * 1:43182 <-> ENABLED <-> FILE-OTHER Oniguruma expression parser out of bounds write attempt (file-other.rules)
 * 1:43183 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Matsnu variant outbound conection (malware-cnc.rules)
 * 1:43186 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43187 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules)
 * 1:43185 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43188 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:43189 <-> DISABLED <-> PROTOCOL-RPC Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt (protocol-rpc.rules)
 * 1:43190 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Konus variant outbound connection detected (malware-cnc.rules)
 * 1:43179 <-> ENABLED <-> FILE-OFFICE Powerpoint mouseover powershell malware download attempt (file-office.rules)
 * 1:43194 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection (malware-cnc.rules)
 * 1:43193 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection (malware-cnc.rules)
 * 1:43191 <-> DISABLED <-> SERVER-WEBAPP Symantec Messaging Gateway performBackupNow.do command injection attempt (server-webapp.rules)
 * 3:43192 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0364 attack attempt (server-other.rules)

Modified Rules:


 * 1:41510 <-> DISABLED <-> SERVER-OTHER Pharos PopUp Printer Client DecodeBinary heap buffer overflow attempt (server-other.rules)
 * 1:42226 <-> DISABLED <-> OS-SOLARIS Solaris RPC XDR overflow code execution attempt (os-solaris.rules)
 * 1:40755 <-> DISABLED <-> FILE-FLASH Adobe Flash EnableDebugger2 obfuscation attempt (file-flash.rules)
 * 1:41039 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA wmi_domain_controllers command injection attempt (server-webapp.rules)
 * 1:41037 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA domains command injection attempt (server-webapp.rules)
 * 1:41509 <-> DISABLED <-> SERVER-OTHER Pharos PopUp Printer Client DecodeBinary heap buffer overflow attempt (server-other.rules)

2990