Snort - Network Intrusion Detection & Prevention System

Talos Rules 2015-11-19

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-flash, indicator-compromise, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-11-19 16:21:49 UTC

Snort Subscriber Rules Update

Date: 2015-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36844 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36845 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36843 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain poems.net16.net - Win.Trojan.Leralogs (blacklist.rules)
 * 1:36841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Leralogs variant outbound connection (malware-cnc.rules)
 * 1:36838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload outbound connection (malware-cnc.rules)
 * 1:36835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload inbound connection (malware-cnc.rules)
 * 1:36832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36833 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozila (blacklist.rules)
 * 1:36831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36828 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36829 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36853 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36825 <-> DISABLED <-> PUA-ADWARE DealPly Adware variant outbound connection (pua-adware.rules)
 * 1:36852 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36851 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)

Modified Rules:


 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)

2975

2015-11-19 16:21:49 UTC

Snort Subscriber Rules Update

Date: 2015-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36825 <-> DISABLED <-> PUA-ADWARE DealPly Adware variant outbound connection (pua-adware.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36828 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36829 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36833 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozila (blacklist.rules)
 * 1:36834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload outbound connection (malware-cnc.rules)
 * 1:36835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload inbound connection (malware-cnc.rules)
 * 1:36836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain poems.net16.net - Win.Trojan.Leralogs (blacklist.rules)
 * 1:36841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Leralogs variant outbound connection (malware-cnc.rules)
 * 1:36842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36843 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36844 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36845 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36853 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36852 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36851 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)

Modified Rules:


 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)

2976

2015-11-19 16:21:49 UTC

Snort Subscriber Rules Update

Date: 2015-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36853 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36852 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36851 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36845 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36844 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36843 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Leralogs variant outbound connection (malware-cnc.rules)
 * 1:36840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain poems.net16.net - Win.Trojan.Leralogs (blacklist.rules)
 * 1:36839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload inbound connection (malware-cnc.rules)
 * 1:36834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload outbound connection (malware-cnc.rules)
 * 1:36833 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozila (blacklist.rules)
 * 1:36832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36829 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36828 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36825 <-> DISABLED <-> PUA-ADWARE DealPly Adware variant outbound connection (pua-adware.rules)

Modified Rules:


 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)