Talos Rules 2015-10-27
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-webkit, exploit-kit, file-flash, file-multimedia, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-10-27 15:00:37 UTC

Snort Subscriber Rules Update

Date: 2015-10-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36564 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules)
 * 1:36566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36565 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules)
 * 1:36568 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36594 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules)
 * 1:36569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36579 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules)
 * 1:36581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules)
 * 1:36576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules)
 * 1:36574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:36572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36595 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules)
 * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules)
 * 1:36575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36563 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:36580 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules)
 * 1:36591 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules)
 * 1:36586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36589 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36590 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)

Modified Rules:


 * 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)
 * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)

2015-10-27 15:00:37 UTC

Snort Subscriber Rules Update

Date: 2015-10-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36579 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules)
 * 1:36581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules)
 * 1:36576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules)
 * 1:36574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:36567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36564 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules)
 * 1:36563 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:36566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36565 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules)
 * 1:36568 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36580 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules)
 * 1:36584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules)
 * 1:36586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules)
 * 1:36595 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules)
 * 1:36594 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules)
 * 1:36593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36591 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36590 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36589 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)

Modified Rules:


 * 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules)
 * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)

2015-10-27 15:00:37 UTC

Snort Subscriber Rules Update

Date: 2015-10-27

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules)
 * 1:36595 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules)
 * 1:36594 <-> DISABLED <-> SERVER-WEBAPP OpenEMR globals.php authentication bypass attempt (server-webapp.rules)
 * 1:36593 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36592 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36591 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36590 <-> ENABLED <-> FILE-FLASH Adobe Flash Player textLine use-after-free attempt (file-flash.rules)
 * 1:36589 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36588 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36587 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36586 <-> ENABLED <-> FILE-FLASH Adobe Flash Player message handler array length overflow attempt (file-flash.rules)
 * 1:36585 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari user assisted applescript code execution attempt (browser-webkit.rules)
 * 1:36584 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36583 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36582 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36581 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE engine find_recurse out-of-bounds read attempt (file-flash.rules)
 * 1:36580 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules)
 * 1:36579 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Slackbot variant outbound connection (malware-cnc.rules)
 * 1:36578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules)
 * 1:36577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection (malware-cnc.rules)
 * 1:36576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36575 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36574 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36573 <-> ENABLED <-> FILE-FLASH Adobe Flash Player recursion check stack overflow attempt (file-flash.rules)
 * 1:36572 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36571 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36570 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36569 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36568 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection (malware-cnc.rules)
 * 1:36565 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules)
 * 1:36564 <-> DISABLED <-> FILE-MULTIMEDIA libav LZO integer overflow attempt (file-multimedia.rules)
 * 1:36563 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:36562 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)

Modified Rules:


 * 1:32665 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:32666 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coreshell variant outbound connection (malware-cnc.rules)
 * 1:32667 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Chopstick variant outbound request (malware-cnc.rules)
 * 1:34426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:34427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows cng.sys memory leak kernel ASLR bypass attempt (os-windows.rules)
 * 1:35118 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kerberos privilege escalation attempt (os-windows.rules)
 * 1:36113 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:36114 <-> ENABLED <-> FILE-MULTIMEDIA Adobe Flash Player ID3 tag integer overflow attempt (file-multimedia.rules)
 * 1:36535 <-> ENABLED <-> EXPLOIT-KIT Neutrino exploit kit landing page detected (exploit-kit.rules)