Talos Rules 2015-10-21
Talos has discovered several vulnerabilities affecting NTP.

CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, and CVE-2015-7871: NTP suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 35831, and 36250 through 36253.

A new rule to detect attacks targeting these vulnerabilities is also included in this release and is identified with GID 1, SID 36536.

Talos has also added and modified multiple rules in the blacklist, browser-ie, browser-plugins and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-21 19:55:23 UTC

Snort Subscriber Rules Update

Date: 2015-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (server-other.rules)
 * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (server-other.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (server-other.rules)
 * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (server-other.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (server-other.rules)
 * 1:21965 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent VB WININET (blacklist.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)

2015-10-21 19:55:23 UTC

Snort Subscriber Rules Update

Date: 2015-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules)

Modified Rules:


 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (server-other.rules)
 * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (server-other.rules)
 * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (server-other.rules)
 * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (server-other.rules)
 * 1:21965 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent VB WININET (blacklist.rules)
 * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (server-other.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)

2015-10-21 19:55:22 UTC

Snort Subscriber Rules Update

Date: 2015-10-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36536 <-> DISABLED <-> SERVER-OTHER NTP crypto-NAK packet flood attempt (server-other.rules)
 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36253 <-> DISABLED <-> SERVER-OTHER ntpd saveconfig directory traversal attempt (server-other.rules)
 * 1:36252 <-> DISABLED <-> SERVER-OTHER ntpd remote configuration denial of service attempt (server-other.rules)
 * 1:36251 <-> DISABLED <-> SERVER-OTHER ntpq atoascii memory corruption attempt (server-other.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:35831 <-> DISABLED <-> SERVER-OTHER multiple vendors NTP daemon integer overflow attempt (server-other.rules)
 * 1:36250 <-> DISABLED <-> SERVER-OTHER ntpd keyfile buffer overflow attempt (server-other.rules)
 * 1:21965 <-> DISABLED <-> BLACKLIST User-Agent known malicious user agent VB WININET (blacklist.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)