Talos Rules 2015-12-01
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-12-01 14:30:02 UTC

Snort Subscriber Rules Update

Date: 2015-12-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:36902 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36900 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36888 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:36891 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:36892 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:36895 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules)
 * 1:36897 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)
 * 1:36893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trfijan outbound connection (malware-cnc.rules)
 * 1:36894 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules)
 * 1:36890 <-> ENABLED <-> MALWARE-CNC AbbadonPOS variant outbound connection (malware-cnc.rules)
 * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules)
 * 1:36901 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36899 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36898 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)

Modified Rules:


 * 1:25004 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:25005 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:35648 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules)
 * 1:35649 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules)
 * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules)
 * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules)
 * 1:36143 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:36145 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)

2015-12-01 14:30:02 UTC

Snort Subscriber Rules Update

Date: 2015-12-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36891 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:36901 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36895 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:36893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trfijan outbound connection (malware-cnc.rules)
 * 1:36894 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules)
 * 1:36899 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36898 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)
 * 1:36900 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36888 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)
 * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules)
 * 1:36892 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:36902 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36890 <-> ENABLED <-> MALWARE-CNC AbbadonPOS variant outbound connection (malware-cnc.rules)
 * 1:36897 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)

Modified Rules:


 * 1:25004 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:25005 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:35648 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules)
 * 1:35649 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules)
 * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules)
 * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules)
 * 1:36145 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:36143 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)
 * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)

2015-12-01 14:30:01 UTC

Snort Subscriber Rules Update

Date: 2015-12-01

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36902 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36901 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36900 <-> DISABLED <-> SERVER-WEBAPP Oracle BeeHive showRecxml.jsp directory traversal attempt (server-webapp.rules)
 * 1:36899 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36898 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)
 * 1:36897 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionScript ProgressBar use after free attempt (file-flash.rules)
 * 1:36896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt (browser-ie.rules)
 * 1:36895 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules)
 * 1:36894 <-> DISABLED <-> SERVER-WEBAPP Zend Technologies Zend Framework heuristicScan XML external entity injection attempt (server-webapp.rules)
 * 1:36893 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Trfijan outbound connection (malware-cnc.rules)
 * 1:36892 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:36891 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:36890 <-> ENABLED <-> MALWARE-CNC AbbadonPOS variant outbound connection (malware-cnc.rules)
 * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules)
 * 1:36888 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint out of bounds value remote code execution attempt (file-office.rules)

Modified Rules:


 * 1:25004 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:25005 <-> DISABLED <-> BROWSER-PLUGINS ClearQuest session ActiveX control access (browser-plugins.rules)
 * 1:35648 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules)
 * 1:35649 <-> ENABLED <-> FILE-FLASH Adobe Flash Player XML pointer wrong parent reference (file-flash.rules)
 * 1:36097 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36098 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36099 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager SubmitQuery SQL injection attempt (server-webapp.rules)
 * 1:36100 <-> DISABLED <-> SERVER-WEBAPP ManageEngine OpManager default credentials authentication attempt (server-webapp.rules)
 * 1:36101 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules)
 * 1:36102 <-> DISABLED <-> SERVER-WEBAPP ManageEngine ServiceDesk ExportImport.do directory traversal attempt (server-webapp.rules)
 * 1:36145 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 1:36143 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetConnection AS2 arbitrary code execution attempt (file-flash.rules)
 * 3:30933 <-> ENABLED <-> SERVER-OTHER Cisco RV180 VPN remote code execution attempt (server-other.rules)
 * 3:32101 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN login.html memory corruption attempt (server-webapp.rules)