Snort - Network Intrusion Detection & Prevention System

Talos Rules 2015-09-01

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2973

2015-09-01 14:34:56 UTC

Snort Subscriber Rules Update

Date: 2015-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xenbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namospu variant outbound connection (malware-cnc.rules)
 * 1:35839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exonapps.nl - Win.Trojan.Namospu (blacklist.rules)
 * 1:35840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain drop-into.hol.es - Win.Trojan.Namospu (blacklist.rules)
 * 1:35837 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35826 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35843 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35844 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35846 <-> DISABLED <-> SERVER-WEBAPP Navis DocumentCloud WordPress plugin window.php cross site scripting attempt (server-webapp.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server CopyFile method directory traversal attempt (server-webapp.rules)
 * 1:35845 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35827 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35849 <-> DISABLED <-> POLICY-OTHER EMC Documentum Content Server remote access attempt (policy-other.rules)
 * 1:35836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35850 <-> ENABLED <-> SERVER-OTHER EMC Documentum Content Server privilege escalation attempt (server-other.rules)
 * 1:35851 <-> DISABLED <-> SERVER-OTHER QEMU VNC set-pixel-format memory corruption attempt (server-other.rules)

Modified Rules:


 * 1:35633 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:31812 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:31811 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:35412 <-> DISABLED <-> BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt (browser-chrome.rules)
 * 1:35632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35635 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:35634 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt (exploit-kit.rules)
 * 1:35411 <-> DISABLED <-> BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt (browser-chrome.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)

2975

2015-09-01 14:34:56 UTC

Snort Subscriber Rules Update

Date: 2015-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35851 <-> DISABLED <-> SERVER-OTHER QEMU VNC set-pixel-format memory corruption attempt (server-other.rules)
 * 1:35850 <-> ENABLED <-> SERVER-OTHER EMC Documentum Content Server privilege escalation attempt (server-other.rules)
 * 1:35849 <-> DISABLED <-> POLICY-OTHER EMC Documentum Content Server remote access attempt (policy-other.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server CopyFile method directory traversal attempt (server-webapp.rules)
 * 1:35846 <-> DISABLED <-> SERVER-WEBAPP Navis DocumentCloud WordPress plugin window.php cross site scripting attempt (server-webapp.rules)
 * 1:35845 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:35844 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35843 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namospu variant outbound connection (malware-cnc.rules)
 * 1:35841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xenbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exonapps.nl - Win.Trojan.Namospu (blacklist.rules)
 * 1:35838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain drop-into.hol.es - Win.Trojan.Namospu (blacklist.rules)
 * 1:35837 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35827 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35826 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)

Modified Rules:


 * 1:31811 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:31812 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:35411 <-> DISABLED <-> BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt (browser-chrome.rules)
 * 1:35412 <-> DISABLED <-> BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt (browser-chrome.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt (exploit-kit.rules)
 * 1:35632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35633 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35634 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35635 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)

2962

2015-09-01 14:34:56 UTC

Snort Subscriber Rules Update

Date: 2015-09-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server CopyFile method directory traversal attempt (server-webapp.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35845 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:35826 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35844 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35843 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca Server MoveFile method directory traversal attempt (server-webapp.rules)
 * 1:35827 <-> DISABLED <-> FILE-OTHER TAR archive with absolute path detected (file-other.rules)
 * 1:35849 <-> DISABLED <-> POLICY-OTHER EMC Documentum Content Server remote access attempt (policy-other.rules)
 * 1:35850 <-> ENABLED <-> SERVER-OTHER EMC Documentum Content Server privilege escalation attempt (server-other.rules)
 * 1:35837 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35838 <-> ENABLED <-> BLACKLIST DNS request for known malware domain drop-into.hol.es - Win.Trojan.Namospu (blacklist.rules)
 * 1:35839 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exonapps.nl - Win.Trojan.Namospu (blacklist.rules)
 * 1:35836 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35851 <-> DISABLED <-> SERVER-OTHER QEMU VNC set-pixel-format memory corruption attempt (server-other.rules)
 * 1:35840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35841 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xenbooter.tk - Win.Trojan.Namospu (blacklist.rules)
 * 1:35842 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Namospu variant outbound connection (malware-cnc.rules)
 * 1:35846 <-> DISABLED <-> SERVER-WEBAPP Navis DocumentCloud WordPress plugin window.php cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:35632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35478 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35411 <-> DISABLED <-> BROWSER-CHROME Google Chrome XSSAuditor Policy ByPass command injection attempt (browser-chrome.rules)
 * 1:31860 <-> DISABLED <-> SERVER-OTHER Apple CUPS web interface cross site scripting attempt (server-other.rules)
 * 1:35635 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35412 <-> DISABLED <-> BROWSER-CHROME Google Chrome xssauditor policy bypass command injection attempt (browser-chrome.rules)
 * 1:35477 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CLabelElement object use after free attempt (browser-ie.rules)
 * 1:35542 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt (exploit-kit.rules)
 * 1:35633 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:35634 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetMonitor use-after-free attempt (file-flash.rules)
 * 1:31812 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:31811 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlLayout use after free attempt (browser-ie.rules)
 * 3:30887 <-> ENABLED <-> SERVER-OTHER Cisco Tshell command injection attempt (server-other.rules)