Talos Rules 2015-08-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-executable, file-flash, file-identify, file-image, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other and sql rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-08-27 18:46:20 UTC

Snort Subscriber Rules Update

Date: 2015-08-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35805 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Seyelifon variant outbound connection (malware-cnc.rules)
 * 1:35806 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35807 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35808 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35809 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35810 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35811 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35812 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35813 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35803 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35823 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35819 <-> DISABLED <-> SQL union select - possible percent-delimited SQL injection attempt - GET parameter (sql.rules)
 * 1:35818 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35817 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35781 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35782 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35783 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:35784 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35785 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35788 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ezglobalmarketing.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35789 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fgainterests.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35790 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ledshoppen.nl - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35791 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serenitynowbooksandgifts.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35792 <-> ENABLED <-> BLACKLIST DNS request for known malware domain shmetterheath.ru - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35793 <-> ENABLED <-> BLACKLIST DNS request for known malware domain teenpornotube.org - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35794 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:35795 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35796 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35797 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file download request (file-identify.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35800 <-> ENABLED <-> BLACKLIST DNS request for known malware domain itsurvive.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quadjacks.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35802 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net76.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35814 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)

Modified Rules:


 * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 1:30878 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java (exploit-kit.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules)
 * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules)
 * 1:34823 <-> DISABLED <-> POLICY-OTHER HP SiteScope unspecified privilege escalation attempt (policy-other.rules)
 * 1:35247 <-> ENABLED <-> FILE-IDENTIFY GNI file download request (file-identify.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35639 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35641 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35750 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection attempt (malware-cnc.rules)
 * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Cobrike inbound connection  (malware-cnc.rules)
 * 1:9848 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt (os-windows.rules)
 * 1:9849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt (os-windows.rules)

2015-08-27 18:46:20 UTC

Snort Subscriber Rules Update

Date: 2015-08-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35823 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35819 <-> DISABLED <-> SQL union select - possible percent-delimited SQL injection attempt - GET parameter (sql.rules)
 * 1:35818 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35817 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Seyelifon variant outbound connection (malware-cnc.rules)
 * 1:35805 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35806 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35808 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35807 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35809 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35810 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35811 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35812 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35813 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35814 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35781 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35782 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35783 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:35784 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35785 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35788 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ezglobalmarketing.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35789 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fgainterests.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35790 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ledshoppen.nl - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35791 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serenitynowbooksandgifts.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35792 <-> ENABLED <-> BLACKLIST DNS request for known malware domain shmetterheath.ru - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35793 <-> ENABLED <-> BLACKLIST DNS request for known malware domain teenpornotube.org - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35794 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:35795 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35796 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35797 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file download request (file-identify.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35800 <-> ENABLED <-> BLACKLIST DNS request for known malware domain itsurvive.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quadjacks.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35802 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net76.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35803 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)

Modified Rules:


 * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 1:30878 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java (exploit-kit.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules)
 * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules)
 * 1:34823 <-> DISABLED <-> POLICY-OTHER HP SiteScope unspecified privilege escalation attempt (policy-other.rules)
 * 1:35247 <-> ENABLED <-> FILE-IDENTIFY GNI file download request (file-identify.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35639 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35641 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35750 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection attempt (malware-cnc.rules)
 * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Cobrike inbound connection  (malware-cnc.rules)
 * 1:9848 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt (os-windows.rules)
 * 1:9849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt (os-windows.rules)

2015-08-27 18:46:20 UTC

Snort Subscriber Rules Update

Date: 2015-08-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35823 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35819 <-> DISABLED <-> SQL union select - possible percent-delimited SQL injection attempt - GET parameter (sql.rules)
 * 1:35818 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35817 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35814 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35813 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35812 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35811 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35810 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35809 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35808 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35807 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35806 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35805 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Seyelifon variant outbound connection (malware-cnc.rules)
 * 1:35803 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35802 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net76.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quadjacks.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35800 <-> ENABLED <-> BLACKLIST DNS request for known malware domain itsurvive.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35797 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file download request (file-identify.rules)
 * 1:35796 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35795 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35794 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:35793 <-> ENABLED <-> BLACKLIST DNS request for known malware domain teenpornotube.org - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35792 <-> ENABLED <-> BLACKLIST DNS request for known malware domain shmetterheath.ru - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35791 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serenitynowbooksandgifts.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35790 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ledshoppen.nl - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35789 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fgainterests.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35788 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ezglobalmarketing.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35785 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35784 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35783 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:35782 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35781 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)

Modified Rules:


 * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 1:30878 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java (exploit-kit.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules)
 * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules)
 * 1:34823 <-> DISABLED <-> POLICY-OTHER HP SiteScope unspecified privilege escalation attempt (policy-other.rules)
 * 1:35247 <-> ENABLED <-> FILE-IDENTIFY GNI file download request (file-identify.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35639 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35641 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35750 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection attempt (malware-cnc.rules)
 * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Cobrike inbound connection  (malware-cnc.rules)
 * 1:9848 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt (os-windows.rules)
 * 1:9849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt (os-windows.rules)