Snort - Network Intrusion Detection & Prevention System

Talos Rules 2015-11-12

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-11-12 16:39:16 UTC

Snort Subscriber Rules Update

Date: 2015-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36784 <-> DISABLED <-> POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt (policy-other.rules)
 * 1:36775 <-> ENABLED <-> BLACKLIST DNS request for known malware domain down.rtba.info - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36780 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.yessearches.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.ghokswa.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36773 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 240.la - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zimwervi variant outbound connection (malware-cnc.rules)
 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:36781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gokawa variant outbound connection (malware-cnc.rules)
 * 1:36782 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36783 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36776 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zy98.com - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36785 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36774 <-> ENABLED <-> BLACKLIST DNS request for known malware domain count.9i1.cn - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36788 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:36786 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36787 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:4148 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:18767 <-> DISABLED <-> PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt (protocol-tftp.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:17772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:15924 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)

2975

2015-11-12 16:39:16 UTC

Snort Subscriber Rules Update

Date: 2015-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36786 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gokawa variant outbound connection (malware-cnc.rules)
 * 1:36775 <-> ENABLED <-> BLACKLIST DNS request for known malware domain down.rtba.info - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36773 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 240.la - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zimwervi variant outbound connection (malware-cnc.rules)
 * 1:36772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:36776 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zy98.com - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:36779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.ghokswa.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36780 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.yessearches.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36782 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36783 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36784 <-> DISABLED <-> POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt (policy-other.rules)
 * 1:36785 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36788 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36774 <-> ENABLED <-> BLACKLIST DNS request for known malware domain count.9i1.cn - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36787 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:17772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:18767 <-> DISABLED <-> PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt (protocol-tftp.rules)
 * 1:4148 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:15924 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)

2976

2015-11-12 16:39:16 UTC

Snort Subscriber Rules Update

Date: 2015-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36788 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36787 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36786 <-> DISABLED <-> FILE-OTHER Apple SceneKit qlmanage setelementname buffer overflow attempt (file-other.rules)
 * 1:36785 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36784 <-> DISABLED <-> POLICY-OTHER Symantec LiveUpdate forcepasswd.do insecure password change attempt (policy-other.rules)
 * 1:36783 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36782 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:36781 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Gokawa variant outbound connection (malware-cnc.rules)
 * 1:36780 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.yessearches.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36779 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xa.ghokswa.com - Win.Trojan.Gokawa (blacklist.rules)
 * 1:36778 <-> DISABLED <-> SERVER-WEBAPP F5 BIG-IP iControl API arbitrary command execution attempt (server-webapp.rules)
 * 1:36777 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zimwervi variant outbound connection (malware-cnc.rules)
 * 1:36776 <-> ENABLED <-> BLACKLIST DNS request for known malware domain zy98.com - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36775 <-> ENABLED <-> BLACKLIST DNS request for known malware domain down.rtba.info - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36774 <-> ENABLED <-> BLACKLIST DNS request for known malware domain count.9i1.cn - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36773 <-> ENABLED <-> BLACKLIST DNS request for known malware domain 240.la - Win.Trojan.Zimwervi (blacklist.rules)
 * 1:36772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)

Modified Rules:


 * 1:15924 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)
 * 1:17772 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer Scriptlet Component ActiveX clsid access (browser-plugins.rules)
 * 1:18767 <-> DISABLED <-> PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt (protocol-tftp.rules)
 * 1:2337 <-> DISABLED <-> PROTOCOL-TFTP PUT filename overflow attempt (protocol-tftp.rules)
 * 1:4148 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer DHTML Editing ActiveX clsid access (browser-plugins.rules)