Talos Rules 2015-10-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-01 18:11:46 UTC

Snort Subscriber Rules Update

Date: 2015-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36280 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36279 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36278 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36277 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36275 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36274 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vincenzo-sorelli.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36273 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arijoputane.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules)
 * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules)
 * 1:36269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36267 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36266 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36265 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36262 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36261 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36260 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36259 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36258 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36257 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36256 <-> DISABLED <-> SERVER-OTHER ElasticSearch information disclosure attempt (server-other.rules)
 * 1:36255 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:36254 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)

Modified Rules:


 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php post attempt (server-webapp.rules)
 * 1:15870 <-> DISABLED <-> FILE-IDENTIFY 4XM file download request (file-identify.rules)
 * 1:15945 <-> DISABLED <-> FILE-IDENTIFY RSS file download request (file-identify.rules)
 * 1:17739 <-> DISABLED <-> FILE-IDENTIFY FlashPix file download request (file-identify.rules)
 * 1:34398 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download attempt (file-identify.rules)
 * 1:20975 <-> DISABLED <-> FILE-IDENTIFY 3G2 file download request (file-identify.rules)
 * 1:21016 <-> DISABLED <-> FILE-IDENTIFY Cytel Studio cyb file attachment detected (file-identify.rules)
 * 1:21017 <-> DISABLED <-> FILE-IDENTIFY cyb Cytel Studio file attachment detected (file-identify.rules)
 * 1:21701 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:21702 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:34397 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:21703 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:21704 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:21915 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:21916 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:34396 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:22985 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:22986 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:23487 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:23488 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:34395 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:23497 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:23498 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:31635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:27276 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)
 * 1:24599 <-> DISABLED <-> FILE-IDENTIFY Alt-N MDaemon IMAP Server (file-identify.rules)
 * 1:27275 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)

2015-10-01 18:11:46 UTC

Snort Subscriber Rules Update

Date: 2015-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36278 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36279 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36280 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36259 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36254 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)
 * 1:36255 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:36256 <-> DISABLED <-> SERVER-OTHER ElasticSearch information disclosure attempt (server-other.rules)
 * 1:36257 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36258 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36260 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36261 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36262 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36265 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36266 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36267 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules)
 * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules)
 * 1:36273 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arijoputane.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36274 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vincenzo-sorelli.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36275 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36277 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)

Modified Rules:


 * 1:27276 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)
 * 1:34398 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download attempt (file-identify.rules)
 * 1:34397 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34396 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34395 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:31634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:23498 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:15870 <-> DISABLED <-> FILE-IDENTIFY 4XM file download request (file-identify.rules)
 * 1:17739 <-> DISABLED <-> FILE-IDENTIFY FlashPix file download request (file-identify.rules)
 * 1:20975 <-> DISABLED <-> FILE-IDENTIFY 3G2 file download request (file-identify.rules)
 * 1:21016 <-> DISABLED <-> FILE-IDENTIFY Cytel Studio cyb file attachment detected (file-identify.rules)
 * 1:21017 <-> DISABLED <-> FILE-IDENTIFY cyb Cytel Studio file attachment detected (file-identify.rules)
 * 1:15945 <-> DISABLED <-> FILE-IDENTIFY RSS file download request (file-identify.rules)
 * 1:21702 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:21703 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:21704 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:21915 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:21701 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:22985 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:21916 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php post attempt (server-webapp.rules)
 * 1:22986 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:23487 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:23497 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:23488 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:24599 <-> DISABLED <-> FILE-IDENTIFY Alt-N MDaemon IMAP Server (file-identify.rules)
 * 1:27275 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)

2015-10-01 18:11:46 UTC

Snort Subscriber Rules Update

Date: 2015-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36280 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36255 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:36257 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36254 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)
 * 1:36256 <-> DISABLED <-> SERVER-OTHER ElasticSearch information disclosure attempt (server-other.rules)
 * 1:36279 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36259 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36260 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36261 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36262 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36265 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36266 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36267 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules)
 * 1:36273 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arijoputane.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules)
 * 1:36274 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vincenzo-sorelli.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36258 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36278 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36275 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36277 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)

Modified Rules:


 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:31634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:27276 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)
 * 1:34395 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php post attempt (server-webapp.rules)
 * 1:34398 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download attempt (file-identify.rules)
 * 1:34396 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:34397 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:23497 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:31635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:23488 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:15870 <-> DISABLED <-> FILE-IDENTIFY 4XM file download request (file-identify.rules)
 * 1:15945 <-> DISABLED <-> FILE-IDENTIFY RSS file download request (file-identify.rules)
 * 1:17739 <-> DISABLED <-> FILE-IDENTIFY FlashPix file download request (file-identify.rules)
 * 1:20975 <-> DISABLED <-> FILE-IDENTIFY 3G2 file download request (file-identify.rules)
 * 1:21017 <-> DISABLED <-> FILE-IDENTIFY cyb Cytel Studio file attachment detected (file-identify.rules)
 * 1:21701 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:21702 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:21703 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:21016 <-> DISABLED <-> FILE-IDENTIFY Cytel Studio cyb file attachment detected (file-identify.rules)
 * 1:21915 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:21704 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:22985 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:21916 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:22986 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:23498 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:23487 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:27275 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)
 * 1:24599 <-> DISABLED <-> FILE-IDENTIFY Alt-N MDaemon IMAP Server (file-identify.rules)

2015-10-01 18:11:46 UTC

Snort Subscriber Rules Update

Date: 2015-10-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36279 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36259 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36280 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36254 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)
 * 1:36257 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36256 <-> DISABLED <-> SERVER-OTHER ElasticSearch information disclosure attempt (server-other.rules)
 * 1:36261 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36262 <-> DISABLED <-> SERVER-WEBAPP PHP fileinfo cdf_read_property_info denial of service attempt (server-webapp.rules)
 * 1:36263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36264 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36269 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36265 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36266 <-> ENABLED <-> FILE-FLASH Adobe Flash Player URLStreamObject out of bounds read attempt (file-flash.rules)
 * 1:36267 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36268 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection (malware-cnc.rules)
 * 1:36278 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)
 * 1:36271 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:36270 <-> DISABLED <-> SERVER-WEBAPP Centreon main.php command injection attempt (server-webapp.rules)
 * 1:36273 <-> ENABLED <-> BLACKLIST DNS request for known malware domain arijoputane.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules)
 * 1:36255 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:36274 <-> ENABLED <-> BLACKLIST DNS request for known malware domain vincenzo-sorelli.com - Win.Trojan.Corebot (blacklist.rules)
 * 1:36275 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36276 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Corebot variant outbound connection (malware-cnc.rules)
 * 1:36260 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36258 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray writeByte buffer overflow attempt (file-flash.rules)
 * 1:36277 <-> ENABLED <-> FILE-FLASH Adobe Flash Player diplayAsPassword information disclosure attempt (file-flash.rules)

Modified Rules:


 * 1:29548 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway POST vulnerability attempt (server-webapp.rules)
 * 1:31634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:31635 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer margin overflow use after free attempt (browser-ie.rules)
 * 1:22985 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:29547 <-> DISABLED <-> SERVER-WEBAPP IBM Rational Focal Point webservice Axis Gateway GET vulnerability attempt (server-webapp.rules)
 * 1:27276 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)
 * 1:34395 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:3827 <-> DISABLED <-> SERVER-WEBAPP PHP xmlrpc.php post attempt (server-webapp.rules)
 * 1:34398 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download attempt (file-identify.rules)
 * 1:34397 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file download request (file-identify.rules)
 * 1:34396 <-> DISABLED <-> FILE-IDENTIFY Microsoft Journal file attachment detected (file-identify.rules)
 * 1:21702 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:23498 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:23497 <-> DISABLED <-> FILE-IDENTIFY CUR file attachment detected (file-identify.rules)
 * 1:15870 <-> DISABLED <-> FILE-IDENTIFY 4XM file download request (file-identify.rules)
 * 1:15945 <-> DISABLED <-> FILE-IDENTIFY RSS file download request (file-identify.rules)
 * 1:20975 <-> DISABLED <-> FILE-IDENTIFY 3G2 file download request (file-identify.rules)
 * 1:21016 <-> DISABLED <-> FILE-IDENTIFY Cytel Studio cyb file attachment detected (file-identify.rules)
 * 1:21017 <-> DISABLED <-> FILE-IDENTIFY cyb Cytel Studio file attachment detected (file-identify.rules)
 * 1:21701 <-> DISABLED <-> FILE-IDENTIFY FlashPix file attachment detected (file-identify.rules)
 * 1:17739 <-> DISABLED <-> FILE-IDENTIFY FlashPix file download request (file-identify.rules)
 * 1:21704 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:21703 <-> DISABLED <-> FILE-IDENTIFY 4XM file attachment detected (file-identify.rules)
 * 1:21916 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:21915 <-> DISABLED <-> SERVER-OTHER Novell Groupwise HTTP login request (server-other.rules)
 * 1:22986 <-> DISABLED <-> FILE-IDENTIFY 3G2 file attachment detected (file-identify.rules)
 * 1:23487 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)
 * 1:24599 <-> DISABLED <-> FILE-IDENTIFY Alt-N MDaemon IMAP Server (file-identify.rules)
 * 1:27275 <-> DISABLED <-> FILE-IDENTIFY Trimble SketchUp file attachment detected (file-identify.rules)
 * 1:23488 <-> DISABLED <-> FILE-IDENTIFY JOB file attachment detected (file-identify.rules)