Talos Rules 2015-06-24
Talos is aware of vulnerabilities affecting products from Adobe Systems Inc.

Adobe Security Bulletin APSB15-14 (CVE-2015-3113): Adobe Flash Player suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34988 through 34989.

Talos has also added and modified multiple rules in the file-flash, file-office, file-other, indicator-compromise, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-06-24 19:22:14 UTC

Snort Subscriber Rules Update

Date: 2015-06-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34992 <-> DISABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:34978 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34977 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34973 <-> DISABLED <-> SERVER-OTHER Apache mod_include buffer overflow attempt (server-other.rules)
 * 1:34980 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Msnmm variant outbound connection (malware-cnc.rules)
 * 1:34981 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34974 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio child sub-object string invalid length attempt (file-office.rules)
 * 1:34975 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio child sub-object string invalid length attempt (file-office.rules)
 * 1:34976 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34983 <-> DISABLED <-> SERVER-WEBAPP PHP SoapClient __call method type confusion attempt (server-webapp.rules)
 * 1:34979 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34984 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34985 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34987 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34986 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34991 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:34990 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)

Modified Rules:


 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:26353 <-> DISABLED <-> INDICATOR-COMPROMISE IP address check to dyndns.org detected (indicator-compromise.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32744 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer DisplayChartPDF directory traversal attempt (server-webapp.rules)
 * 1:32745 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer information disclosure attempt (server-webapp.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
 * 1:33505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt (file-flash.rules)
 * 1:33506 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt (file-flash.rules)

2015-06-24 19:22:14 UTC

Snort Subscriber Rules Update

Date: 2015-06-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34985 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Msnmm variant outbound connection (malware-cnc.rules)
 * 1:34979 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34977 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34976 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34980 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34973 <-> DISABLED <-> SERVER-OTHER Apache mod_include buffer overflow attempt (server-other.rules)
 * 1:34974 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio child sub-object string invalid length attempt (file-office.rules)
 * 1:34975 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio child sub-object string invalid length attempt (file-office.rules)
 * 1:34983 <-> DISABLED <-> SERVER-WEBAPP PHP SoapClient __call method type confusion attempt (server-webapp.rules)
 * 1:34984 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34986 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34987 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34981 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34990 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:34978 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34991 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:34992 <-> DISABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)

Modified Rules:


 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:26353 <-> DISABLED <-> INDICATOR-COMPROMISE IP address check to dyndns.org detected (indicator-compromise.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32744 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer DisplayChartPDF directory traversal attempt (server-webapp.rules)
 * 1:32745 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer information disclosure attempt (server-webapp.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
 * 1:33505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt (file-flash.rules)
 * 1:33506 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt (file-flash.rules)

2015-06-24 19:22:14 UTC

Snort Subscriber Rules Update

Date: 2015-06-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34992 <-> DISABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:34991 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:34990 <-> ENABLED <-> MALWARE-OTHER Group 6 Adobe Flash exploit download attempt (malware-other.rules)
 * 1:34989 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34988 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed FLV file buffer overflow attempt (file-flash.rules)
 * 1:34987 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34986 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34985 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34984 <-> ENABLED <-> FILE-OTHER VMWare Workstation JPEG2000 stack overflow attempt (file-other.rules)
 * 1:34983 <-> DISABLED <-> SERVER-WEBAPP PHP SoapClient __call method type confusion attempt (server-webapp.rules)
 * 1:34982 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Msnmm variant outbound connection (malware-cnc.rules)
 * 1:34981 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34980 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34979 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getAgentLogFile directory traversal attempt (server-webapp.rules)
 * 1:34978 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34977 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34976 <-> DISABLED <-> SERVER-WEBAPP SysAid Help Desk getGfiUpgradeFile directory traversal attempt (server-webapp.rules)
 * 1:34975 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio child sub-object string invalid length attempt (file-office.rules)
 * 1:34974 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio child sub-object string invalid length attempt (file-office.rules)
 * 1:34973 <-> DISABLED <-> SERVER-OTHER Apache mod_include buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:26353 <-> DISABLED <-> INDICATOR-COMPROMISE IP address check to dyndns.org detected (indicator-compromise.rules)
 * 1:32011 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Flooder outbound connection (malware-cnc.rules)
 * 1:32744 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer DisplayChartPDF directory traversal attempt (server-webapp.rules)
 * 1:32745 <-> DISABLED <-> SERVER-WEBAPP ManageEngine NetFlow Analyzer information disclosure attempt (server-webapp.rules)
 * 1:32951 <-> DISABLED <-> POLICY-OTHER base64 encoded executable file download (policy-other.rules)
 * 1:33505 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt (file-flash.rules)
 * 1:33506 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of scope newclass memory corruption attempt (file-flash.rules)