Talos Rules 2015-07-10
Talos is aware of vulnerabilities affecting OpenSSL.

OpenSSL Vulnerability CVE-2015-1793: A coding deficiency in OpenSSL exists that may lead to a security feature bypass.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 35111.

Talos has also added and modified multiple rules in the and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-07-10 18:19:20 UTC

Snort Subscriber Rules Update

Date: 2015-07-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)
 * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomolous x509 certificate with default org name and certificate chain detected (server-other.rules)
 * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)

Modified Rules:



2015-07-10 18:19:20 UTC

Snort Subscriber Rules Update

Date: 2015-07-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomolous x509 certificate with default org name and certificate chain detected (server-other.rules)
 * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)
 * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)

Modified Rules:



2015-07-10 18:19:20 UTC

Snort Subscriber Rules Update

Date: 2015-07-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35111 <-> DISABLED <-> SERVER-OTHER OpenSSL anomolous x509 certificate with default org name and certificate chain detected (server-other.rules)
 * 1:35110 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)
 * 1:35109 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected (exploit-kit.rules)

Modified Rules: