Talos Rules 2015-12-15
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, blacklist, browser-plugins, file-flash, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-12-15 20:46:19 UTC

Snort Subscriber Rules Update

Date: 2015-12-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37039 <-> DISABLED <-> SERVER-WEBAPP Atlassian HipChat Plugin template injection remote code execution attempt (server-webapp.rules)
 * 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arfadinf variant outbound connection (malware-cnc.rules)
 * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37038 <-> DISABLED <-> SERVER-WEBAPP HumHub index.php from parameter SQL injection attempt (server-webapp.rules)
 * 1:37040 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37041 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37042 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37043 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovtar outbound connection (malware-cnc.rules)
 * 1:37046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain affiliatesys.info - Win.Trojan.Vonteera (blacklist.rules)
 * 1:37047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vonterra outbound communication (malware-cnc.rules)
 * 1:37048 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bookworm variant outbound connection (malware-cnc.rules)
 * 1:37049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geratid variant outbound connection (malware-cnc.rules)
 * 1:37051 <-> ENABLED <-> MALWARE-CNC ATSEngine credit card number sent via URL parameter (malware-cnc.rules)
 * 1:37050 <-> ENABLED <-> MALWARE-CNC ATSEngine initial beacon (malware-cnc.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 outbound communication attempt (malware-cnc.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Paligenpo outbound connection (malware-cnc.rules)
 * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telehot outbound connection (malware-cnc.rules)
 * 1:37065 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Venik outbound connection (malware-cnc.rules)
 * 1:37066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload (malware-cnc.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flusihoc variant outbound connection (malware-cnc.rules)
 * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)

Modified Rules:


 * 1:8375 <-> DISABLED <-> BROWSER-PLUGINS QuickTime Object ActiveX clsid access (browser-plugins.rules)
 * 1:11826 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Voice Control Recognition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules)
 * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC (malware-cnc.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:11232 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:11830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX clsid access attempt (browser-plugins.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)

2015-12-15 20:46:19 UTC

Snort Subscriber Rules Update

Date: 2015-12-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37039 <-> DISABLED <-> SERVER-WEBAPP Atlassian HipChat Plugin template injection remote code execution attempt (server-webapp.rules)
 * 1:37037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arfadinf variant outbound connection (malware-cnc.rules)
 * 1:37038 <-> DISABLED <-> SERVER-WEBAPP HumHub index.php from parameter SQL injection attempt (server-webapp.rules)
 * 1:37040 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37041 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37042 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37043 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain affiliatesys.info - Win.Trojan.Vonteera (blacklist.rules)
 * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovtar outbound connection (malware-cnc.rules)
 * 1:37047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vonterra outbound communication (malware-cnc.rules)
 * 1:37048 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bookworm variant outbound connection (malware-cnc.rules)
 * 1:37049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geratid variant outbound connection (malware-cnc.rules)
 * 1:37051 <-> ENABLED <-> MALWARE-CNC ATSEngine credit card number sent via URL parameter (malware-cnc.rules)
 * 1:37050 <-> ENABLED <-> MALWARE-CNC ATSEngine initial beacon (malware-cnc.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 outbound communication attempt (malware-cnc.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Paligenpo outbound connection (malware-cnc.rules)
 * 1:37064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telehot outbound connection (malware-cnc.rules)
 * 1:37065 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Venik outbound connection (malware-cnc.rules)
 * 1:37066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload (malware-cnc.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flusihoc variant outbound connection (malware-cnc.rules)
 * 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)

Modified Rules:


 * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules)
 * 1:8375 <-> DISABLED <-> BROWSER-PLUGINS QuickTime Object ActiveX clsid access (browser-plugins.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC (malware-cnc.rules)
 * 1:11830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:11232 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:11826 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Voice Control Recognition ActiveX clsid access attempt (browser-plugins.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)

2015-12-15 20:46:19 UTC

Snort Subscriber Rules Update

Date: 2015-12-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37078 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37077 <-> ENABLED <-> SERVER-WEBAPP Joomla JDatabaseDriverMysqli unserialize code execution attempt (server-webapp.rules)
 * 1:37076 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37075 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37074 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37073 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37072 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37071 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ShaderParameter integer overflow attempt (file-flash.rules)
 * 1:37070 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:37069 <-> ENABLED <-> FILE-FLASH Adobe Flash Player object Filters type confusion use after free attempt (file-flash.rules)
 * 1:37068 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Flusihoc variant outbound connection (malware-cnc.rules)
 * 1:37067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Droot outbound connection (malware-cnc.rules)
 * 1:37066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload (malware-cnc.rules)
 * 1:37065 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Venik outbound connection (malware-cnc.rules)
 * 1:37064 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Telehot outbound connection (malware-cnc.rules)
 * 1:37063 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Paligenpo outbound connection (malware-cnc.rules)
 * 1:37062 <-> DISABLED <-> APP-DETECT 12P DNS request attempt (app-detect.rules)
 * 1:37061 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37060 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37059 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37058 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37057 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37056 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37055 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37054 <-> DISABLED <-> FILE-OTHER BACnet OPC client csv file buffer overflow attempt (file-other.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 outbound communication attempt (malware-cnc.rules)
 * 1:37052 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TeslaCrypt outbound communication (malware-cnc.rules)
 * 1:37051 <-> ENABLED <-> MALWARE-CNC ATSEngine credit card number sent via URL parameter (malware-cnc.rules)
 * 1:37050 <-> ENABLED <-> MALWARE-CNC ATSEngine initial beacon (malware-cnc.rules)
 * 1:37049 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Geratid variant outbound connection (malware-cnc.rules)
 * 1:37048 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Bookworm variant outbound connection (malware-cnc.rules)
 * 1:37047 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vonterra outbound communication (malware-cnc.rules)
 * 1:37046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain affiliatesys.info - Win.Trojan.Vonteera (blacklist.rules)
 * 1:37045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Kovtar outbound connection (malware-cnc.rules)
 * 1:37044 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37043 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37042 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37041 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37040 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37039 <-> DISABLED <-> SERVER-WEBAPP Atlassian HipChat Plugin template injection remote code execution attempt (server-webapp.rules)
 * 1:37038 <-> DISABLED <-> SERVER-WEBAPP HumHub index.php from parameter SQL injection attempt (server-webapp.rules)
 * 1:37037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Arfadinf variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:36889 <-> ENABLED <-> MALWARE-CNC TinyDropper variant outbound connection (malware-cnc.rules)
 * 1:8375 <-> DISABLED <-> BROWSER-PLUGINS QuickTime Object ActiveX clsid access (browser-plugins.rules)
 * 1:32769 <-> ENABLED <-> MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC (malware-cnc.rules)
 * 1:34875 <-> DISABLED <-> SERVER-WEBAPP ManageEngine EventLog Analyzer cross site request forgery attempt (server-webapp.rules)
 * 1:11826 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Voice Control Recognition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:11830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Direct Speech Recognition ActiveX clsid access attempt (browser-plugins.rules)
 * 1:11232 <-> DISABLED <-> BROWSER-PLUGINS Microsoft CAPICOM CAPICOM.Certificates ActiveX clsid access attempt (browser-plugins.rules)
 * 3:16533 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ISATAP-addressed IPv6 traffic spoofing attempt (os-windows.rules)