Talos Rules 2015-10-06
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-06 14:45:49 UTC

Snort Subscriber Rules Update

Date: 2015-10-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules)
 * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules)
 * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules)
 * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules)
 * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules)
 * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules)
 * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules)
 * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules)
 * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
 * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules)
 * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)

Modified Rules:


 * 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules)
 * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)

2015-10-06 14:45:49 UTC

Snort Subscriber Rules Update

Date: 2015-10-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules)
 * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules)
 * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules)
 * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules)
 * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules)
 * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules)
 * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules)
 * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules)
 * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
 * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
 * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)

Modified Rules:


 * 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)

2015-10-06 14:45:49 UTC

Snort Subscriber Rules Update

Date: 2015-10-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules)
 * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules)
 * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules)
 * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules)
 * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules)
 * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules)
 * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules)
 * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
 * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
 * 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules)
 * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules)
 * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)

Modified Rules:


 * 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules)
 * 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)

2015-10-06 14:45:49 UTC

Snort Subscriber Rules Update

Date: 2015-10-06

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36331 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Katrina variant outbound connection (malware-cnc.rules)
 * 1:36330 <-> DISABLED <-> SERVER-WEBAPP Kaseya VSA uploader.aspx PathData directory traversal attempt (server-webapp.rules)
 * 1:36329 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36328 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36327 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36326 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36325 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection (malware-cnc.rules)
 * 1:36324 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36323 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36322 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36321 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeChildren use-after-free attempt (file-flash.rules)
 * 1:36320 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36319 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
 * 1:36318 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Netstream Video null pointer dereference attempt (file-flash.rules)
 * 1:36317 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded FLV potential information leak attempt (file-flash.rules)
 * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules)
 * 1:36315 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit relay traffic detected (exploit-kit.rules)
 * 1:36314 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36313 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36312 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player class scope bypass attempt (file-flash.rules)
 * 1:36310 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36309 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36308 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36307 <-> ENABLED <-> FILE-IMAGE Trimble SketchUp corrupt BMP RLE4 heap buffer overflow attempt (file-image.rules)
 * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36304 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WinPlock variant outbound connection (malware-cnc.rules)
 * 1:36303 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response (malware-cnc.rules)
 * 1:36302 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36301 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36300 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36299 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:36298 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36297 <-> ENABLED <-> FILE-FLASH Adobe Flash Player video decode use after free attempt (file-flash.rules)
 * 1:36296 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36295 <-> ENABLED <-> FILE-FLASH Adobe Flash Player movie signed integer memory corruption attempt (file-flash.rules)
 * 1:36294 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection attempt (malware-cnc.rules)
 * 1:36293 <-> ENABLED <-> BLACKLIST DNS request for known malware domain exenull1.appspot.com - Win.Backdoor.Nisinul (blacklist.rules)
 * 1:36292 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36291 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36290 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36289 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream.appendBytes use after free attempt (file-flash.rules)
 * 1:36288 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36287 <-> ENABLED <-> FILE-FLASH Adobe Flash Player avc_core out of bounds memory access attempt (file-flash.rules)
 * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules)
 * 1:36285 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36284 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36283 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager APMAlertOperations servlet SQL injection attempt (server-webapp.rules)
 * 1:36282 <-> ENABLED <-> POLICY-OTHER Cisco router Security Device Manager default banner (policy-other.rules)
 * 1:36281 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)

Modified Rules:


 * 1:10140 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Input Method Editor 2 ActiveX clsid access attempt (browser-plugins.rules)
 * 1:15992 <-> DISABLED <-> FILE-OTHER Trend Micro Products Antivirus Library overflow attempt (file-other.rules)
 * 1:32817 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:32818 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt (file-flash.rules)
 * 1:34538 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:34539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ByteArray shading memory leak attempt (file-flash.rules)
 * 1:34855 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:34856 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter out of bounds write attempt (file-flash.rules)
 * 1:35501 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35502 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom out of bounds read attempt (file-office.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:36203 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:36204 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll corrupt fcPlcfFldMom uninitialized memory access attempt  (file-office.rules)
 * 1:3632 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 3:30931 <-> ENABLED <-> SERVER-OTHER Cisco RV180W remote file inclusion attempt (server-other.rules)