Talos Rules 2015-11-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-flash, indicator-compromise, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-11-19 16:21:49 UTC

Snort Subscriber Rules Update

Date: 2015-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36844 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36845 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36843 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain poems.net16.net - Win.Trojan.Leralogs (blacklist.rules)
 * 1:36841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Leralogs variant outbound connection (malware-cnc.rules)
 * 1:36838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload outbound connection (malware-cnc.rules)
 * 1:36835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload inbound connection (malware-cnc.rules)
 * 1:36832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36833 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozila (blacklist.rules)
 * 1:36831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36828 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36829 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36853 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36825 <-> DISABLED <-> PUA-ADWARE DealPly Adware variant outbound connection (pua-adware.rules)
 * 1:36852 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36851 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)

Modified Rules:


 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)

2015-11-19 16:21:49 UTC

Snort Subscriber Rules Update

Date: 2015-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36825 <-> DISABLED <-> PUA-ADWARE DealPly Adware variant outbound connection (pua-adware.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36828 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36829 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36833 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozila (blacklist.rules)
 * 1:36834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload outbound connection (malware-cnc.rules)
 * 1:36835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload inbound connection (malware-cnc.rules)
 * 1:36836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain poems.net16.net - Win.Trojan.Leralogs (blacklist.rules)
 * 1:36841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Leralogs variant outbound connection (malware-cnc.rules)
 * 1:36842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36843 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36844 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36845 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36853 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36852 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36851 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)

Modified Rules:


 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)

2015-11-19 16:21:49 UTC

Snort Subscriber Rules Update

Date: 2015-11-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36853 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36852 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36851 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36850 <-> ENABLED <-> FILE-FLASH Adobe Flash Player globalToLocal use-after-free attempt (file-flash.rules)
 * 1:36849 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player GetConsoleMode input action variable corruption attempt (file-flash.rules)
 * 1:36847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36846 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36845 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36844 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 TextField gridFitType use after free attempt (file-flash.rules)
 * 1:36843 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36842 <-> ENABLED <-> FILE-FLASH Adobe Flash Player MovieClip object corruption use after free attempt (file-flash.rules)
 * 1:36841 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Leralogs variant outbound connection (malware-cnc.rules)
 * 1:36840 <-> ENABLED <-> BLACKLIST DNS request for known malware domain poems.net16.net - Win.Trojan.Leralogs (blacklist.rules)
 * 1:36839 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player file API validation bypass attempt (file-flash.rules)
 * 1:36837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString with script objects use after free attempt (file-flash.rules)
 * 1:36835 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload inbound connection (malware-cnc.rules)
 * 1:36834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload outbound connection (malware-cnc.rules)
 * 1:36833 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - Mozila (blacklist.rules)
 * 1:36832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36829 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36828 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player AS2 actionExtends use-after-free attempt (file-flash.rules)
 * 1:36826 <-> ENABLED <-> SERVER-OTHER Java Library CommonsCollection unauthorized serialized object attempt (server-other.rules)
 * 1:36825 <-> DISABLED <-> PUA-ADWARE DealPly Adware variant outbound connection (pua-adware.rules)

Modified Rules:


 * 1:32948 <-> DISABLED <-> INDICATOR-COMPROMISE Download of executable screensaver file (indicator-compromise.rules)