Snort - Network Intrusion Detection & Prevention System

Talos Rules 2015-12-03

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-12-03 15:32:42 UTC

Snort Subscriber Rules Update

Date: 2015-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36904 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain alternate009.com (blacklist.rules)
 * 1:36906 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain echotec.asia (blacklist.rules)
 * 1:36907 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain foryousee.net (blacklist.rules)
 * 1:36908 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain rausers.com (blacklist.rules)
 * 1:36910 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain mechanicnote.com (blacklist.rules)
 * 1:36905 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain cainformations.com (blacklist.rules)
 * 1:36909 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain news-google.net (blacklist.rules)
 * 1:36912 <-> DISABLED <-> SERVER-OTHER Novell eDirectory dhost buffer overflow attempt (server-other.rules)
 * 1:36911 <-> ENABLED <-> MALWARE-CNC GlassRAT handshake beacon (malware-cnc.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)

2975

2015-12-03 15:32:42 UTC

Snort Subscriber Rules Update

Date: 2015-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36908 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain rausers.com (blacklist.rules)
 * 1:36909 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain news-google.net (blacklist.rules)
 * 1:36907 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain foryousee.net (blacklist.rules)
 * 1:36911 <-> ENABLED <-> MALWARE-CNC GlassRAT handshake beacon (malware-cnc.rules)
 * 1:36910 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain mechanicnote.com (blacklist.rules)
 * 1:36906 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain echotec.asia (blacklist.rules)
 * 1:36904 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain alternate009.com (blacklist.rules)
 * 1:36912 <-> DISABLED <-> SERVER-OTHER Novell eDirectory dhost buffer overflow attempt (server-other.rules)
 * 1:36905 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain cainformations.com (blacklist.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)

2976

2015-12-03 15:32:40 UTC

Snort Subscriber Rules Update

Date: 2015-12-03

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36912 <-> DISABLED <-> SERVER-OTHER Novell eDirectory dhost buffer overflow attempt (server-other.rules)
 * 1:36911 <-> ENABLED <-> MALWARE-CNC GlassRAT handshake beacon (malware-cnc.rules)
 * 1:36910 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain mechanicnote.com (blacklist.rules)
 * 1:36909 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain news-google.net (blacklist.rules)
 * 1:36908 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain rausers.com (blacklist.rules)
 * 1:36907 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain foryousee.net (blacklist.rules)
 * 1:36906 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain echotec.asia (blacklist.rules)
 * 1:36905 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain cainformations.com (blacklist.rules)
 * 1:36904 <-> ENABLED <-> BLACKLIST DNS GlassRAT domain alternate009.com (blacklist.rules)
 * 3:36913 <-> ENABLED <-> SERVER-WEBAPP Cisco WebEx Meetings Server command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:33912 <-> ENABLED <-> MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website (malware-cnc.rules)
 * 3:32108 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)
 * 3:32107 <-> ENABLED <-> SERVER-WEBAPP Cisco ASA WebVPN directory traversal attempt (server-webapp.rules)