Talos Rules 2016-01-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, deleted, file-flash, file-office, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-01-07 15:56:59 UTC

Snort Subscriber Rules Update

Date: 2016-01-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37253 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (deleted.rules)
 * 1:37252 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37251 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules)
 * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37246 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt (file-office.rules)
 * 1:37249 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37250 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules)
 * 1:37256 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37255 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (deleted.rules)
 * 1:37242 <-> ENABLED <-> SERVER-WEBAPP D-Link DCS-900 Series Network Camera arbitrary file upload attempt (server-webapp.rules)
 * 1:37254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)

Modified Rules:


 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)

2016-01-07 15:56:59 UTC

Snort Subscriber Rules Update

Date: 2016-01-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37256 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37255 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (deleted.rules)
 * 1:37254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37253 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (deleted.rules)
 * 1:37252 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37251 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37250 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37249 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37246 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt (file-office.rules)
 * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules)
 * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules)
 * 1:37242 <-> ENABLED <-> SERVER-WEBAPP D-Link DCS-900 Series Network Camera arbitrary file upload attempt (server-webapp.rules)

Modified Rules:


 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)

2016-01-07 15:56:59 UTC

Snort Subscriber Rules Update

Date: 2016-01-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37243 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules)
 * 1:37249 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37250 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37245 <-> DISABLED <-> MALWARE-CNC Win.Backdoor.Chopper web shell connection (malware-cnc.rules)
 * 1:37246 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel CrErr record integer overflow attempt (file-office.rules)
 * 1:37256 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37244 <-> DISABLED <-> INDICATOR-COMPROMISE download of a Office document with embedded PowerShell (indicator-compromise.rules)
 * 1:37251 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37252 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:37254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (file-flash.rules)
 * 1:37253 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (deleted.rules)
 * 1:37242 <-> ENABLED <-> SERVER-WEBAPP D-Link DCS-900 Series Network Camera arbitrary file upload attempt (server-webapp.rules)
 * 1:37255 <-> DISABLED <-> DELETED FILE-FLASH Adobe Flash Player improper display list handling memory corruption attempt (deleted.rules)

Modified Rules:


 * 1:37235 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)
 * 1:8068 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Windows Scripting Host Shell ActiveX function call access (browser-plugins.rules)
 * 1:37234 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip use after free attempt (file-flash.rules)