Talos Rules 2016-01-21
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-pdf, malware-backdoor, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-01-21 17:28:31 UTC

Snort Subscriber Rules Update

Date: 2016-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37415 <-> DISABLED <-> SERVER-WEBAPP JBoss expression language actionOutcome remote code execution attempt (server-webapp.rules)
 * 1:37417 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37419 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37420 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT initial connection (malware-backdoor.rules)
 * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37422 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)
 * 1:37424 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37425 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37438 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37435 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37436 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37437 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules)
 * 1:37433 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37434 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)

Modified Rules:


 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:18304 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)

2016-01-21 17:28:31 UTC

Snort Subscriber Rules Update

Date: 2016-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37438 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37437 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37436 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37435 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37434 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37433 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37425 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37424 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)
 * 1:37422 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37420 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT initial connection (malware-backdoor.rules)
 * 1:37419 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37417 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37415 <-> DISABLED <-> SERVER-WEBAPP JBoss expression language actionOutcome remote code execution attempt (server-webapp.rules)
 * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)

Modified Rules:


 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:18304 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)

2016-01-21 17:28:31 UTC

Snort Subscriber Rules Update

Date: 2016-01-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37415 <-> DISABLED <-> SERVER-WEBAPP JBoss expression language actionOutcome remote code execution attempt (server-webapp.rules)
 * 1:37416 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37418 <-> ENABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37412 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37438 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37437 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37411 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS hidden credentials authentication attempt (server-webapp.rules)
 * 1:37435 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37417 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37419 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT inbound connection (malware-backdoor.rules)
 * 1:37420 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT initial connection (malware-backdoor.rules)
 * 1:37421 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT download (malware-backdoor.rules)
 * 1:37422 <-> DISABLED <-> MALWARE-BACKDOOR Adzok RAT server file download (malware-backdoor.rules)
 * 1:37423 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)
 * 1:37436 <-> ENABLED <-> OS-LINUX Linux Kernel keyring object exploit download attempt (os-linux.rules)
 * 1:37424 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37425 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState double free attempt (file-pdf.rules)
 * 1:37427 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37428 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37429 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37430 <-> DISABLED <-> SERVER-WEBAPP IP Camera /cgi-bin/admin/servetest command injection attempt (server-webapp.rules)
 * 1:37431 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37434 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 1:37432 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader ExtGState use after free attempt (file-pdf.rules)
 * 1:37413 <-> DISABLED <-> SERVER-WEBAPP SevOne NMS kill.php command injection attempt (server-webapp.rules)
 * 1:37433 <-> DISABLED <-> FILE-PDF Adobe Reader setPersistent use after free attempt (file-pdf.rules)
 * 3:37414 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS zero length DHCP VPN suboption denial of service attempt (server-other.rules)
 * 3:37426 <-> ENABLED <-> SERVER-OTHER Cisco NX-OS DHCP option parsing denial of service attempt (server-other.rules)

Modified Rules:


 * 1:35332 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:35331 <-> DISABLED <-> FILE-PDF Adobe Reader PDF document closed prior to javascript termination use after free attempt (file-pdf.rules)
 * 1:18304 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer span tag memory corruption attempt (browser-ie.rules)