Talos Rules 2015-10-22
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-flash, file-multimedia, malware-cnc, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-22 15:03:45 UTC

Snort Subscriber Rules Update

Date: 2015-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36561 <-> DISABLED <-> DELETED scary rule go away XX (deleted.rules)
 * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules)
 * 1:36542 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt (server-webapp.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36545 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36543 <-> ENABLED <-> EXPLOIT-KIT Hunter exploit kit landing page detected (exploit-kit.rules)
 * 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36559 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Brolux variant outbound connection (malware-cnc.rules)
 * 1:36537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.kensatsutyo.com - Win.Trojan.Brolux (blacklist.rules)
 * 1:36546 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36548 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36547 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36560 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:36538 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.servecounterstrike.com - Win.Trojan.Brolux (blacklist.rules)
 * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luxurybro.co.kr - Win.Trojan.Brolux (blacklist.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)
 * 3:36557 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay denial of service attempt (server-other.rules)

Modified Rules:


 * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:26243 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
 * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules)
 * 1:26242 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)

2015-10-22 15:03:45 UTC

Snort Subscriber Rules Update

Date: 2015-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Brolux variant outbound connection (malware-cnc.rules)
 * 1:36542 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt (server-webapp.rules)
 * 1:36539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luxurybro.co.kr - Win.Trojan.Brolux (blacklist.rules)
 * 1:36538 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.servecounterstrike.com - Win.Trojan.Brolux (blacklist.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:36543 <-> ENABLED <-> EXPLOIT-KIT Hunter exploit kit landing page detected (exploit-kit.rules)
 * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules)
 * 1:36545 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36547 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36546 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36548 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36561 <-> DISABLED <-> DELETED scary rule go away XX (deleted.rules)
 * 1:36560 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36559 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.kensatsutyo.com - Win.Trojan.Brolux (blacklist.rules)
 * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 3:36557 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay denial of service attempt (server-other.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)

Modified Rules:


 * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules)
 * 1:26243 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
 * 1:26242 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)

2015-10-22 15:03:45 UTC

Snort Subscriber Rules Update

Date: 2015-10-22

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36561 <-> DISABLED <-> DELETED scary rule go away XX (deleted.rules)
 * 1:36560 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36559 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36556 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36555 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36554 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36553 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36552 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36551 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36550 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36549 <-> ENABLED <-> FILE-FLASH Adobe Flash Player writeExternal type confusion attempt (file-flash.rules)
 * 1:36548 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36547 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36546 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36545 <-> DISABLED <-> SERVER-OTHER Avast Antivirus X.509 Common Name remote code execution attempt (server-other.rules)
 * 1:36544 <-> DISABLED <-> SERVER-WEBAPP pChart script parameter directory traversal attempt (server-webapp.rules)
 * 1:36543 <-> ENABLED <-> EXPLOIT-KIT Hunter exploit kit landing page detected (exploit-kit.rules)
 * 1:36542 <-> DISABLED <-> SERVER-WEBAPP HP OpenView Network Node Manager HTTP handling buffer overflow attempt (server-webapp.rules)
 * 1:36541 <-> DISABLED <-> POLICY-OTHER Polycom Botnet inbound connection attempt (policy-other.rules)
 * 1:36540 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Brolux variant outbound connection (malware-cnc.rules)
 * 1:36539 <-> ENABLED <-> BLACKLIST DNS request for known malware domain luxurybro.co.kr - Win.Trojan.Brolux (blacklist.rules)
 * 1:36538 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.servecounterstrike.com - Win.Trojan.Brolux (blacklist.rules)
 * 1:36537 <-> ENABLED <-> BLACKLIST DNS request for known malware domain fas-go-jp-security.kensatsutyo.com - Win.Trojan.Brolux (blacklist.rules)
 * 3:36557 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay denial of service attempt (server-other.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)

Modified Rules:


 * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36055 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNSSEC response unsupported DNSKEY cryptographic algorithm attempt (protocol-dns.rules)
 * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:26243 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)
 * 1:26242 <-> DISABLED <-> FILE-MULTIMEDIA CCMPlayer m3u buffer overflow attempt (file-multimedia.rules)