Talos Rules 2015-06-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, exploit-kit, file-multimedia, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-06-23 17:02:13 UTC

Snort Subscriber Rules Update

Date: 2015-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34948 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34947 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules)
 * 1:34964 <-> DISABLED <-> PUA-ADWARE Win.Adware.Sendori user-agent detection (pua-adware.rules)
 * 1:34955 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34951 <-> DISABLED <-> SERVER-OTHER PHP DateTimeZone object timezone unserialize type confusion attempt (server-other.rules)
 * 1:34962 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection  (malware-cnc.rules)
 * 1:34969 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection  (malware-cnc.rules)
 * 1:34958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:34952 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34970 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:34946 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules)
 * 1:34953 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34954 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34961 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34965 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker outbound connection attempt (malware-cnc.rules)
 * 1:34956 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34960 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules)
 * 1:34950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prok variant outbound connection (malware-cnc.rules)
 * 1:34966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection (malware-cnc.rules)
 * 3:34967 <-> ENABLED <-> SERVER-OTHER Fortinet FSSO stack buffer overflow attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:34971 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
 * 3:34972 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)

Modified Rules:


 * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules)
 * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:29165 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound jar request (exploit-kit.rules)
 * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29164 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound flash request (exploit-kit.rules)
 * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules)
 * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit jar file request (exploit-kit.rules)
 * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules)
 * 1:15473 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules)
 * 1:34334 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:31972 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules)
 * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:31966 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:31967 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:31971 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules)

2015-06-23 17:02:13 UTC

Snort Subscriber Rules Update

Date: 2015-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34947 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules)
 * 1:34946 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules)
 * 1:34964 <-> DISABLED <-> PUA-ADWARE Win.Adware.Sendori user-agent detection (pua-adware.rules)
 * 1:34962 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34965 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker outbound connection attempt (malware-cnc.rules)
 * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection  (malware-cnc.rules)
 * 1:34948 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prok variant outbound connection (malware-cnc.rules)
 * 1:34951 <-> DISABLED <-> SERVER-OTHER PHP DateTimeZone object timezone unserialize type confusion attempt (server-other.rules)
 * 1:34961 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34952 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34953 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34954 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34955 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34956 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection  (malware-cnc.rules)
 * 1:34969 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:34970 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:34959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules)
 * 1:34958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:34960 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection (malware-cnc.rules)
 * 3:34967 <-> ENABLED <-> SERVER-OTHER Fortinet FSSO stack buffer overflow attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:34971 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
 * 3:34972 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)

Modified Rules:


 * 1:31971 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules)
 * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29164 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound flash request (exploit-kit.rules)
 * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit jar file request (exploit-kit.rules)
 * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules)
 * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules)
 * 1:15473 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules)
 * 1:34334 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)
 * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules)
 * 1:31972 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:29165 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound jar request (exploit-kit.rules)
 * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules)
 * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:31966 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:31967 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)

2015-06-23 17:02:13 UTC

Snort Subscriber Rules Update

Date: 2015-06-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34970 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:34969 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:34966 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection (malware-cnc.rules)
 * 1:34965 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Cryptolocker outbound connection attempt (malware-cnc.rules)
 * 1:34964 <-> DISABLED <-> PUA-ADWARE Win.Adware.Sendori user-agent detection (pua-adware.rules)
 * 1:34963 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Threebyte outbound connection  (malware-cnc.rules)
 * 1:34962 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34961 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34960 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk RdsLogsEntry servlet directory traversal attempt (server-webapp.rules)
 * 1:34959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection (malware-cnc.rules)
 * 1:34958 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Androm variant outbound connection (malware-cnc.rules)
 * 1:34957 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sysmain outbound connection  (malware-cnc.rules)
 * 1:34956 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34955 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34954 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34953 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34952 <-> DISABLED <-> SERVER-OTHER OpenSSL invalid PSS parameter denial of service attempt (server-other.rules)
 * 1:34951 <-> DISABLED <-> SERVER-OTHER PHP DateTimeZone object timezone unserialize type confusion attempt (server-other.rules)
 * 1:34950 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Prok variant outbound connection (malware-cnc.rules)
 * 1:34949 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34948 <-> ENABLED <-> SERVER-WEBAPP Rocket Servergraph Admin Center userRequest and tsmRequest command execution attempt (server-webapp.rules)
 * 1:34947 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules)
 * 1:34946 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox automatic user click event attempt (browser-firefox.rules)
 * 3:34967 <-> ENABLED <-> SERVER-OTHER Fortinet FSSO stack buffer overflow attempt (server-other.rules)
 * 3:34968 <-> ENABLED <-> SERVER-WEBAPP Cisco Sourcefire 3D System integrated BMC arbitrary file upload attempt (server-webapp.rules)
 * 3:34971 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)
 * 3:34972 <-> ENABLED <-> SERVER-OTHER MIT Kerberos KDC as-req sname null pointer dereference attempt (server-other.rules)

Modified Rules:


 * 1:29166 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29164 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound flash request (exploit-kit.rules)
 * 1:28237 <-> DISABLED <-> EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt (exploit-kit.rules)
 * 1:25801 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit jar file request (exploit-kit.rules)
 * 1:25799 <-> DISABLED <-> EXPLOIT-KIT Stamp exploit kit pdf request (exploit-kit.rules)
 * 1:15473 <-> DISABLED <-> FILE-MULTIMEDIA Multiple media players M3U playlist file handling buffer overflow attempt (file-multimedia.rules)
 * 1:28477 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit outbound pdf request (exploit-kit.rules)
 * 1:28478 <-> DISABLED <-> EXPLOIT-KIT Styx exploit kit landing page request (exploit-kit.rules)
 * 1:29163 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound exploit request (exploit-kit.rules)
 * 1:29165 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit outbound jar request (exploit-kit.rules)
 * 1:29167 <-> DISABLED <-> EXPLOIT-KIT CritX exploit kit payload download attempt (exploit-kit.rules)
 * 1:29443 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit outbound connection attempt (exploit-kit.rules)
 * 1:29444 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download (exploit-kit.rules)
 * 1:31965 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit landing page (exploit-kit.rules)
 * 1:31966 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:31967 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:31972 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit payload delivery (exploit-kit.rules)
 * 1:34334 <-> DISABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:31971 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit multiple exploit download request (exploit-kit.rules)
 * 1:31970 <-> DISABLED <-> EXPLOIT-KIT Astrum exploit kit redirection attempt (exploit-kit.rules)