Talos Rules 2015-09-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-09-01 14:34:56 UTC

Snort Subscriber Rules Update

Date: 2015-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xenbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namospu variant outbound connection (malware-cnc.rules)
 * 1:35839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exonapps.nl - Win.Trojan.Namospu (blacklist.rules)
 * 1:35840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain drop-into.hol.es - Win.Trojan.Namospu (blacklist.rules)
 * 1:35837 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35826 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35843 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35844 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35846 <-> DISABLED <-> SERVER-WEBAPP Navis DocumentCloud WordPress plugin window.php cross site scripting attempt (server-webapp.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server CopyFile method directory traversal attempt (server-webapp.rules)
 * 1:35845 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35827 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35849 <-> DISABLED <-> POLICY-OTHER EMC Documentum Content Server remote access attempt (policy-other.rules)
 * 1:35836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35850 <-> ENABLED <-> SERVER-OTHER EMC Documentum Content Server privilege escalation attempt (server-other.rules)
 * 1:35851 <-> DISABLED <-> SERVER-OTHER QEMU VNC set-pixel-format memory corruption attempt (server-other.rules)

Modified Rules:


 * 1:35633 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:31812 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:31811 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:35412 <-> DISABLED <-> BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt (browser-chrome.rules)
 * 1:35632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35635 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:35634 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt (exploit-kit.rules)
 * 1:35411 <-> DISABLED <-> BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt (browser-chrome.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)

2015-09-01 14:34:56 UTC

Snort Subscriber Rules Update

Date: 2015-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35851 <-> DISABLED <-> SERVER-OTHER QEMU VNC set-pixel-format memory corruption attempt (server-other.rules)
 * 1:35850 <-> ENABLED <-> SERVER-OTHER EMC Documentum Content Server privilege escalation attempt (server-other.rules)
 * 1:35849 <-> DISABLED <-> POLICY-OTHER EMC Documentum Content Server remote access attempt (policy-other.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server CopyFile method directory traversal attempt (server-webapp.rules)
 * 1:35846 <-> DISABLED <-> SERVER-WEBAPP Navis DocumentCloud WordPress plugin window.php cross site scripting attempt (server-webapp.rules)
 * 1:35845 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:35844 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35843 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namospu variant outbound connection (malware-cnc.rules)
 * 1:35841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xenbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exonapps.nl - Win.Trojan.Namospu (blacklist.rules)
 * 1:35838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain drop-into.hol.es - Win.Trojan.Namospu (blacklist.rules)
 * 1:35837 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35827 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35826 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)

Modified Rules:


 * 1:31811 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:31812 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:35411 <-> DISABLED <-> BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt (browser-chrome.rules)
 * 1:35412 <-> DISABLED <-> BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt (browser-chrome.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt (exploit-kit.rules)
 * 1:35632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35633 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35634 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35635 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)

2015-09-01 14:34:56 UTC

Snort Subscriber Rules Update

Date: 2015-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server CopyFile method directory traversal attempt (server-webapp.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35845 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:35826 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35844 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35843 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35827 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35849 <-> DISABLED <-> POLICY-OTHER EMC Documentum Content Server remote access attempt (policy-other.rules)
 * 1:35850 <-> ENABLED <-> SERVER-OTHER EMC Documentum Content Server privilege escalation attempt (server-other.rules)
 * 1:35837 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain drop-into.hol.es - Win.Trojan.Namospu (blacklist.rules)
 * 1:35839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exonapps.nl - Win.Trojan.Namospu (blacklist.rules)
 * 1:35836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35851 <-> DISABLED <-> SERVER-OTHER QEMU VNC set-pixel-format memory corruption attempt (server-other.rules)
 * 1:35840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xenbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namospu variant outbound connection (malware-cnc.rules)
 * 1:35846 <-> DISABLED <-> SERVER-WEBAPP Navis DocumentCloud WordPress plugin window.php cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:35632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35411 <-> DISABLED <-> BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt (browser-chrome.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:35635 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35412 <-> DISABLED <-> BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt (browser-chrome.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt (exploit-kit.rules)
 * 1:35633 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35634 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:31812 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:31811 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)