Talos Rules 2015-08-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-executable, file-flash, file-identify, file-image, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-08-27 18:46:20 UTC

Snort Subscriber Rules Update

Date: 2015-08-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35805 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Seyelifon variant outbound connection (malware-cnc.rules)
 * 1:35806 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35807 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35808 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35809 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35810 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35811 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35812 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35813 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35803 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35823 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35819 <-> DISABLED <-> SQL union select - possible percent-delimited SQL injection attempt - GET parameter (sql.rules)
 * 1:35818 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35817 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35781 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35782 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35783 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:35784 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35785 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35788 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ezglobalmarketing.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35789 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fgainterests.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35790 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ledshoppen.nl - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35791 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serenitynowbooksandgifts.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35792 <-> ENABLED <-> BLACKLIST DNS request for known malware domain shmetterheath.ru - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35793 <-> ENABLED <-> BLACKLIST DNS request for known malware domain teenpornotube.org - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35794 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:35795 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35796 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35797 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file download request (file-identify.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35800 <-> ENABLED <-> BLACKLIST DNS request for known malware domain itsurvive.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quadjacks.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35802 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net76.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35814 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)

Modified Rules:


 * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 1:30878 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java (exploit-kit.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules)
 * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules)
 * 1:34823 <-> DISABLED <-> POLICY-OTHER HP SiteScope unspecified privilege escalation attempt (policy-other.rules)
 * 1:35247 <-> ENABLED <-> FILE-IDENTIFY GNI file download request (file-identify.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35639 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35641 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35750 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection attempt (malware-cnc.rules)
 * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Cobrike inbound connection  (malware-cnc.rules)
 * 1:9848 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt (os-windows.rules)
 * 1:9849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt (os-windows.rules)

2015-08-27 18:46:20 UTC

Snort Subscriber Rules Update

Date: 2015-08-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35823 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35819 <-> DISABLED <-> SQL union select - possible percent-delimited SQL injection attempt - GET parameter (sql.rules)
 * 1:35818 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35817 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Seyelifon variant outbound connection (malware-cnc.rules)
 * 1:35805 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35806 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35808 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35807 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35809 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35810 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35811 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35812 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35813 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35814 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35781 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35782 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35783 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:35784 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35785 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35788 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ezglobalmarketing.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35789 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fgainterests.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35790 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ledshoppen.nl - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35791 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serenitynowbooksandgifts.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35792 <-> ENABLED <-> BLACKLIST DNS request for known malware domain shmetterheath.ru - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35793 <-> ENABLED <-> BLACKLIST DNS request for known malware domain teenpornotube.org - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35794 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:35795 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35796 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35797 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file download request (file-identify.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35800 <-> ENABLED <-> BLACKLIST DNS request for known malware domain itsurvive.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quadjacks.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35802 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net76.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35803 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)

Modified Rules:


 * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 1:30878 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java (exploit-kit.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules)
 * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules)
 * 1:34823 <-> DISABLED <-> POLICY-OTHER HP SiteScope unspecified privilege escalation attempt (policy-other.rules)
 * 1:35247 <-> ENABLED <-> FILE-IDENTIFY GNI file download request (file-identify.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35639 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35641 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35750 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection attempt (malware-cnc.rules)
 * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Cobrike inbound connection  (malware-cnc.rules)
 * 1:9848 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt (os-windows.rules)
 * 1:9849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt (os-windows.rules)

2015-08-27 18:46:20 UTC

Snort Subscriber Rules Update

Date: 2015-08-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35823 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35822 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35821 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35820 <-> ENABLED <-> FILE-FLASH Adobe Flash Player scale9Grid use after free attempt (file-flash.rules)
 * 1:35819 <-> DISABLED <-> SQL union select - possible percent-delimited SQL injection attempt - GET parameter (sql.rules)
 * 1:35818 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35817 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server RenameFile method directory traversal attempt (server-webapp.rules)
 * 1:35816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35814 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35813 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound type confusion attempt (file-flash.rules)
 * 1:35812 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35811 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANStartApproval - possible privilege escalation attempt (file-pdf.rules)
 * 1:35810 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35809 <-> ENABLED <-> FILE-PDF Adobe Reader Javascript API ANSendForReview - possible privilege escalation attempt (file-pdf.rules)
 * 1:35808 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35807 <-> ENABLED <-> FILE-PDF Adobe Reader validation bypass privilege escalation attempt (file-pdf.rules)
 * 1:35806 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35805 <-> ENABLED <-> FILE-EXECUTABLE Adobe Reader NtSetInformationFile privilege escalation attempt (file-executable.rules)
 * 1:35804 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Seyelifon variant outbound connection (malware-cnc.rules)
 * 1:35803 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35802 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wdwwdwfwd.net76.net - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35801 <-> ENABLED <-> BLACKLIST DNS request for known malware domain quadjacks.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35800 <-> ENABLED <-> BLACKLIST DNS request for known malware domain itsurvive.com - Win.Trojan.Seyelifon (blacklist.rules)
 * 1:35799 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35798 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat malformed PCX one-byte heap overwrite attempt (file-image.rules)
 * 1:35797 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file download request (file-identify.rules)
 * 1:35796 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35795 <-> ENABLED <-> FILE-IDENTIFY ZSoft PCX file attachment detected (file-identify.rules)
 * 1:35794 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:35793 <-> ENABLED <-> BLACKLIST DNS request for known malware domain teenpornotube.org - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35792 <-> ENABLED <-> BLACKLIST DNS request for known malware domain shmetterheath.ru - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35791 <-> ENABLED <-> BLACKLIST DNS request for known malware domain serenitynowbooksandgifts.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35790 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ledshoppen.nl - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35789 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fgainterests.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35788 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ezglobalmarketing.com - TeslaCrypt 2.0 (blacklist.rules)
 * 1:35787 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35786 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader trusted function privilege escalation attempt (file-pdf.rules)
 * 1:35785 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35784 <-> ENABLED <-> FILE-PDF Adobe Reader AcroForm null pointer dereference attempt (file-pdf.rules)
 * 1:35783 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection (malware-cnc.rules)
 * 1:35782 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35781 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader privileged method protection bypass attempt (file-pdf.rules)
 * 1:35780 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)
 * 1:35779 <-> ENABLED <-> FILE-PDF Adobe Reader out of bounds memory read attempt (file-pdf.rules)

Modified Rules:


 * 1:13979 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Event System Subscription VBScript access (os-windows.rules)
 * 1:13990 <-> DISABLED <-> SQL union select - possible sql injection attempt - GET parameter (sql.rules)
 * 1:15090 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:18400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRSS local process allowed to persist through logon or logoff attempt (os-windows.rules)
 * 1:18672 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 8 Developer Tool ActiveX clsid access (browser-ie.rules)
 * 1:30878 <-> DISABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java (exploit-kit.rules)
 * 1:31198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:31199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:33592 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33593 <-> DISABLED <-> FILE-OTHER Adobe Shockwave Player SwDir.dll PlayerVersion Buffer Overflow attempt (file-other.rules)
 * 1:33640 <-> ENABLED <-> FILE-IDENTIFY Apple Motion file download request (file-identify.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33941 <-> DISABLED <-> MALWARE-OTHER Executable control panel file download request (malware-other.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:34334 <-> ENABLED <-> EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download (exploit-kit.rules)
 * 1:34397 <-> ENABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34609 <-> ENABLED <-> MALWARE-CNC Trojan.NitLove variant outbound connection attempt (malware-cnc.rules)
 * 1:34641 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34642 <-> DISABLED <-> BROWSER-PLUGINS McAffee Virtual Technician ActiveX control denial of service attempt ActiveX function call (browser-plugins.rules)
 * 1:34643 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX clsid access (browser-plugins.rules)
 * 1:34644 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric Pelco Rvctl.RVControl.1 ActiveX clsid access attempt ActiveX function call (browser-plugins.rules)
 * 1:34823 <-> DISABLED <-> POLICY-OTHER HP SiteScope unspecified privilege escalation attempt (policy-other.rules)
 * 1:35247 <-> ENABLED <-> FILE-IDENTIFY GNI file download request (file-identify.rules)
 * 1:35301 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Lpdsuite POST request (malware-cnc.rules)
 * 1:35348 <-> ENABLED <-> MALWARE-CNC Trojan.Win32.Ralminey POST request (malware-cnc.rules)
 * 1:35423 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Visual Basic Charts ActiveX function call access (browser-plugins.rules)
 * 1:35523 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35524 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TTF invalid system memory access attempt (os-windows.rules)
 * 1:35639 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35641 <-> ENABLED <-> FILE-FLASH Adobe Flash Player childNodes XML object use after free attempt (file-flash.rules)
 * 1:35750 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection attempt (malware-cnc.rules)
 * 1:35753 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35756 <-> ENABLED <-> FILE-FLASH Adobe Flash Player SharedObject use after free attempt (file-flash.rules)
 * 1:35769 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Cobrike inbound connection  (malware-cnc.rules)
 * 1:9848 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numfills parameter buffer overflow attempt (os-windows.rules)
 * 1:9849 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Vector Markup Language recolorinfo tag numcolors parameter buffer overflow attempt (os-windows.rules)