Talos Rules 2015-08-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, malware-cnc, os-mobile, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-08-12 19:03:36 UTC

Snort Subscriber Rules Update

Date: 2015-08-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules)
 * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules)
 * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules)
 * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
 * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)

Modified Rules:


 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
 * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)

2015-08-12 19:03:36 UTC

Snort Subscriber Rules Update

Date: 2015-08-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules)
 * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules)
 * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules)
 * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
 * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)

Modified Rules:


 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules)

2015-08-12 19:03:36 UTC

Snort Subscriber Rules Update

Date: 2015-08-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules)
 * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules)
 * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules)
 * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
 * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)

Modified Rules:


 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
 * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules)

2015-08-12 19:03:36 UTC

Snort Subscriber Rules Update

Date: 2015-08-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35559 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35558 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35557 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35556 <-> DISABLED <-> BROWSER-PLUGINS Panasonic Security API SDK MulticastAddr ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35555 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35554 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35553 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35552 <-> DISABLED <-> SERVER-MAIL cURL protocol file path URL parsing control character injection attempt (server-mail.rules)
 * 1:35551 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BlackCoffee outbound connection (malware-cnc.rules)
 * 1:35550 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:35549 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zeus variant outbound connection (malware-cnc.rules)
 * 1:35548 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35547 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35546 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35545 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35544 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35543 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Exploit Kit flash exploit download attempt (exploit-kit.rules)
 * 1:35541 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35540 <-> ENABLED <-> SERVER-OTHER EMC AutoStart ftagent SQL injection attempt (server-other.rules)
 * 1:35539 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt (policy-other.rules)
 * 1:35538 <-> DISABLED <-> POLICY-OTHER EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt (policy-other.rules)
 * 1:35535 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35534 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35533 <-> DISABLED <-> SERVER-WEBAPP ManageEngine IT360 BSIntegInfoHandler resIds SQL injection attempt (server-webapp.rules)
 * 1:35532 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 1:35531 <-> DISABLED <-> SERVER-WEBAPP Apache HTTP server mod_cache denial of service attempt (server-webapp.rules)
 * 3:35536 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)
 * 3:35537 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arbitrary code execution attempt (browser-ie.rules)

Modified Rules:


 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35433 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35432 <-> ENABLED <-> FILE-IDENTIFY M4A file magic detected (file-identify.rules)
 * 1:35393 <-> DISABLED <-> MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate (malware-cnc.rules)