Talos Rules 2015-11-03
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-java, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-11-03 16:09:14 UTC

Snort Subscriber Rules Update

Date: 2015-11-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tanmar outbound  connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules)
 * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules)
 * 1:36631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt (file-office.rules)
 * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules)
 * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules)
 * 1:36624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36615 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36616 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36617 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36618 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36619 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36620 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36621 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)

Modified Rules:


 * 1:12197 <-> DISABLED <-> SERVER-OTHER CA message queuing server buffer overflow attempt (server-other.rules)
 * 1:21666 <-> ENABLED <-> FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt (file-java.rules)
 * 1:28148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules)
 * 1:31735 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:31736 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:36109 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36110 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36111 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36112 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules)
 * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36472 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36473 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36474 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36475 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)

2015-11-03 16:09:14 UTC

Snort Subscriber Rules Update

Date: 2015-11-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules)
 * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules)
 * 1:36631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt (file-office.rules)
 * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules)
 * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tanmar outbound  connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36615 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36616 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36617 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36618 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36619 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36620 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36621 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)

Modified Rules:


 * 1:12197 <-> DISABLED <-> SERVER-OTHER CA message queuing server buffer overflow attempt (server-other.rules)
 * 1:21666 <-> ENABLED <-> FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt (file-java.rules)
 * 1:28148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules)
 * 1:31735 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:31736 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:36109 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36110 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36111 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36112 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules)
 * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36472 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36473 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36474 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36475 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)

2015-11-03 16:09:14 UTC

Snort Subscriber Rules Update

Date: 2015-11-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36637 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt (exploit-kit.rules)
 * 1:36636 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:36635 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:36634 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
 * 1:36633 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules)
 * 1:36632 <-> DISABLED <-> SERVER-OTHER NTP decodenetnum assertion failure denial of service attempt (server-other.rules)
 * 1:36631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word .rtf file stylesheet buffer overflow attempt (file-office.rules)
 * 1:36630 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules)
 * 1:36629 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Teabevil outbound variant connection (malware-cnc.rules)
 * 1:36628 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Recodler variant outbound connection (malware-cnc.rules)
 * 1:36627 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tanmar outbound  connection (malware-cnc.rules)
 * 1:36626 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36625 <-> ENABLED <-> MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection (malware-cnc.rules)
 * 1:36624 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36623 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36622 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wedots outbound variant connection (malware-cnc.rules)
 * 1:36621 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36620 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36619 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36618 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven GetWideStrCpy ActiveX clsid access (browser-plugins.rules)
 * 1:36617 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36616 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36615 <-> DISABLED <-> SERVER-WEBAPP Joomla com_contenthistory module SQL injection attempt (server-webapp.rules)
 * 1:36614 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)
 * 1:36613 <-> DISABLED <-> SERVER-WEBAPP McAfee Cloud Single Sign ExtensionAccessServlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:12197 <-> DISABLED <-> SERVER-OTHER CA message queuing server buffer overflow attempt (server-other.rules)
 * 1:21666 <-> ENABLED <-> FILE-JAVA Oracle Java JRE sandbox Atomic breach attempt (file-java.rules)
 * 1:28148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Mevade variant outbound connection (malware-cnc.rules)
 * 1:31735 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:31736 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Upatre variant outbound connection (malware-cnc.rules)
 * 1:36109 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36110 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36111 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36112 <-> ENABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven InterfaceFilter ActiveX clsid access (browser-plugins.rules)
 * 1:36272 <-> ENABLED <-> SERVER-WEBAPP GE MDS PulseNet hidden credentials authentication attempt (server-webapp.rules)
 * 1:36305 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36306 <-> DISABLED <-> FILE-PDF Foxit Reader PNG to PDF conversion heap buffer overflow attempt (file-pdf.rules)
 * 1:36472 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36473 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36474 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)
 * 1:36475 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess AspVCObj.AspDataDriven ConvToSafeArray ActiveX clsid access (browser-plugins.rules)