Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-01-21

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-pdf, malware-backdoor, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-01-21 17:28:31 UTC

Snort Subscriber Rules Update

Date: 2016-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37415 <-> DISABLED <-> SERVER-WEBAPP JBoss expression language actionOutcome remote code execution attempt (server-webapp.rules)
 * 1:37417 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37419 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37420 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT initial connection (malware-backdoor.rules)
 * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37422 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)
 * 1:37424 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37425 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37438 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37435 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37436 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37437 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules)
 * 1:37433 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37434 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)

Modified Rules:


 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:18304 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)

2980

2016-01-21 17:28:31 UTC

Snort Subscriber Rules Update

Date: 2016-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37438 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37437 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37436 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37435 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37434 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37433 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37425 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37424 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)
 * 1:37422 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37420 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT initial connection (malware-backdoor.rules)
 * 1:37419 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37417 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37415 <-> DISABLED <-> SERVER-WEBAPP JBoss expression language actionOutcome remote code execution attempt (server-webapp.rules)
 * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)

Modified Rules:


 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:18304 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)

2962

2016-01-21 17:28:31 UTC

Snort Subscriber Rules Update

Date: 2016-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37415 <-> DISABLED <-> SERVER-WEBAPP JBoss expression language actionOutcome remote code execution attempt (server-webapp.rules)
 * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37438 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37437 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules)
 * 1:37435 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37417 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37419 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37420 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT initial connection (malware-backdoor.rules)
 * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37422 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)
 * 1:37436 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37424 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37425 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37434 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37433 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)

Modified Rules:


 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:18304 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)