Snort - Network Intrusion Detection & Prevention System

Talos Rules 2015-09-24

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, file-flash, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-09-24 15:51:57 UTC

Snort Subscriber Rules Update

Date: 2015-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36187 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36190 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36188 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36186 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qytags variant outbound connection (malware-cnc.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)
 * 1:36189 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36178 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36179 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36180 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36181 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36191 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36192 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36193 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected (file-flash.rules)
 * 1:36194 <-> DISABLED <-> POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt (policy-other.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36185 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bokerensheng.lofter.com - Win.Trojan.Qytags (blacklist.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules)

Modified Rules:


 * 1:26132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:16206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS server spoofing attempt (os-windows.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:34065 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:34064 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server directory traversal attempt (server-webapp.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:26133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)

2973

2015-09-24 15:51:57 UTC

Snort Subscriber Rules Update

Date: 2015-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36193 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected (file-flash.rules)
 * 1:36186 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qytags variant outbound connection (malware-cnc.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36187 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36185 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bokerensheng.lofter.com - Win.Trojan.Qytags (blacklist.rules)
 * 1:36178 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36179 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36180 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36189 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36181 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:36190 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36191 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36192 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36194 <-> DISABLED <-> POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt (policy-other.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36188 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules)
 * 1:36199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:26132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server directory traversal attempt (server-webapp.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:34065 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:34064 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:16206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS server spoofing attempt (os-windows.rules)
 * 1:26133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)

2975

2015-09-24 15:51:57 UTC

Snort Subscriber Rules Update

Date: 2015-09-24

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36199 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant outbound connection (malware-cnc.rules)
 * 1:36198 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Yakes variant certificate (malware-cnc.rules)
 * 1:36197 <-> DISABLED <-> SERVER-WEBAPP nginx SMTP proxy STARTTLS plaintext command injection attempt (server-webapp.rules)
 * 1:36196 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36195 <-> DISABLED <-> SERVER-WEBAPP Reprise license manager actserver and akey HTTP parameters parsing stack buffer overflow attempt (server-webapp.rules)
 * 1:36194 <-> DISABLED <-> POLICY-OTHER BitTorrent distributed reflected denial-of-service attempt (policy-other.rules)
 * 1:36193 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected (file-flash.rules)
 * 1:36192 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36191 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt (file-pdf.rules)
 * 1:36190 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36189 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36188 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36187 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display list use after free attempt (file-flash.rules)
 * 1:36186 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qytags variant outbound connection (malware-cnc.rules)
 * 1:36185 <-> ENABLED <-> BLACKLIST DNS request for known malware domain bokerensheng.lofter.com - Win.Trojan.Qytags (blacklist.rules)
 * 1:36184 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire group-summary cross site scripting attempt (server-webapp.rules)
 * 1:36183 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire create-bookmark cross site scripting attempt (server-webapp.rules)
 * 1:36182 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server-session-details cross site scripting attempt (server-webapp.rules)
 * 1:36181 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)
 * 1:36180 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36179 <-> DISABLED <-> DELETED SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (deleted.rules)
 * 1:36178 <-> DISABLED <-> SERVER-WEBAPP Endian Firewall Proxy chpasswd.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:16206 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS server spoofing attempt (os-windows.rules)
 * 1:26132 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:26133 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer saveHistory use after free attempt (browser-ie.rules)
 * 1:27269 <-> DISABLED <-> SERVER-OTHER GuildFTPd CWD command heap overflow attempt (server-other.rules)
 * 1:27270 <-> DISABLED <-> SERVER-OTHER GuildFTPd LIST command heap overflow attempt (server-other.rules)
 * 1:31068 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:31069 <-> DISABLED <-> SERVER-OTHER F5 BIG-IP remote command injection attempt (server-other.rules)
 * 1:34064 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:34065 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CMapStringToPtr use after free attempt (browser-ie.rules)
 * 1:35847 <-> DISABLED <-> SERVER-WEBAPP Oracle Endeca server directory traversal attempt (server-webapp.rules)