Talos Rules 2016-01-26
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect, blacklist, browser-firefox, file-flash, file-identify, file-other, file-pdf, malware-cnc, os-windows, protocol-voip, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-01-26 14:37:13 UTC

Snort Subscriber Rules Update

Date: 2016-01-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37463 <-> DISABLED <-> SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt (server-webapp.rules)
 * 1:37452 <-> DISABLED <-> FILE-IDENTIFY PESpin v0.3 packer file magic detected (file-identify.rules)
 * 1:37462 <-> DISABLED <-> SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt (server-webapp.rules)
 * 1:37460 <-> ENABLED <-> FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt (file-pdf.rules)
 * 1:37458 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt (file-pdf.rules)
 * 1:37459 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt (file-pdf.rules)
 * 1:37457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sovfo variant outbound connection attempt (malware-cnc.rules)
 * 1:37455 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (file-pdf.rules)
 * 1:37453 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox location.hostname DOM modification bypass attempt (browser-firefox.rules)
 * 1:37454 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (file-pdf.rules)
 * 1:37448 <-> ENABLED <-> FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt (file-pdf.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:37450 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt (file-pdf.rules)
 * 1:37451 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt (file-pdf.rules)
 * 1:37465 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt (file-pdf.rules)
 * 1:37441 <-> ENABLED <-> FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt (file-other.rules)
 * 1:37442 <-> ENABLED <-> FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt (file-other.rules)
 * 1:37443 <-> DISABLED <-> SQL use of sleep function with select - likely SQL injection (sql.rules)
 * 1:37444 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail index.php _skin directory traversal attempt (server-webapp.rules)
 * 1:37445 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt (os-windows.rules)
 * 1:37456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oriontronproject.site11.com - Win.Trojan.Sovfo (blacklist.rules)
 * 1:37446 <-> DISABLED <-> SERVER-OTHER BigAnt server USV command buffer overflow attempt (server-other.rules)
 * 1:37461 <-> ENABLED <-> FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt (file-pdf.rules)
 * 1:37464 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt (file-pdf.rules)
 * 1:37449 <-> ENABLED <-> FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt (file-pdf.rules)
 * 3:37439 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Manager getkvmurl.cgi command injection attempt (server-webapp.rules)
 * 3:37440 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Manager getkvmurl.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:20387 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt (protocol-voip.rules)
 * 1:20388 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt (protocol-voip.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:14608 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt (protocol-voip.rules)
 * 1:21319 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:7033 <-> DISABLED <-> APP-DETECT GoToMyPC local service running (app-detect.rules)
 * 1:7034 <-> DISABLED <-> APP-DETECT GoToMyPC remote control attempt (app-detect.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules)
 * 1:7032 <-> DISABLED <-> APP-DETECT GoToMyPC startup (app-detect.rules)
 * 1:14609 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt (protocol-voip.rules)

2016-01-26 14:37:13 UTC

Snort Subscriber Rules Update

Date: 2016-01-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37443 <-> DISABLED <-> SQL use of sleep function with select - likely SQL injection (sql.rules)
 * 1:37444 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail index.php _skin directory traversal attempt (server-webapp.rules)
 * 1:37442 <-> ENABLED <-> FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt (file-other.rules)
 * 1:37449 <-> ENABLED <-> FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt (file-pdf.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:37441 <-> ENABLED <-> FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt (file-other.rules)
 * 1:37450 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt (file-pdf.rules)
 * 1:37445 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt (os-windows.rules)
 * 1:37451 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt (file-pdf.rules)
 * 1:37453 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox location.hostname DOM modification bypass attempt (browser-firefox.rules)
 * 1:37454 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (file-pdf.rules)
 * 1:37452 <-> DISABLED <-> FILE-IDENTIFY PESpin v0.3 packer file magic detected (file-identify.rules)
 * 1:37455 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (file-pdf.rules)
 * 1:37456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oriontronproject.site11.com - Win.Trojan.Sovfo (blacklist.rules)
 * 1:37458 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt (file-pdf.rules)
 * 1:37457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sovfo variant outbound connection attempt (malware-cnc.rules)
 * 1:37459 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt (file-pdf.rules)
 * 1:37460 <-> ENABLED <-> FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt (file-pdf.rules)
 * 1:37461 <-> ENABLED <-> FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt (file-pdf.rules)
 * 1:37448 <-> ENABLED <-> FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt (file-pdf.rules)
 * 1:37465 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt (file-pdf.rules)
 * 1:37463 <-> DISABLED <-> SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt (server-webapp.rules)
 * 1:37462 <-> DISABLED <-> SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt (server-webapp.rules)
 * 1:37446 <-> DISABLED <-> SERVER-OTHER BigAnt server USV command buffer overflow attempt (server-other.rules)
 * 1:37464 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt (file-pdf.rules)
 * 3:37439 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Manager getkvmurl.cgi command injection attempt (server-webapp.rules)
 * 3:37440 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Manager getkvmurl.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules)
 * 1:7032 <-> DISABLED <-> APP-DETECT GoToMyPC startup (app-detect.rules)
 * 1:7033 <-> DISABLED <-> APP-DETECT GoToMyPC local service running (app-detect.rules)
 * 1:14609 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt (protocol-voip.rules)
 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:14608 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt (protocol-voip.rules)
 * 1:20387 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt (protocol-voip.rules)
 * 1:20388 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt (protocol-voip.rules)
 * 1:7034 <-> DISABLED <-> APP-DETECT GoToMyPC remote control attempt (app-detect.rules)
 * 1:21319 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)

2016-01-26 14:37:13 UTC

Snort Subscriber Rules Update

Date: 2016-01-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37465 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt (file-pdf.rules)
 * 1:37464 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader JavaScript model privileged API bypass attempt (file-pdf.rules)
 * 1:37463 <-> DISABLED <-> SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt (server-webapp.rules)
 * 1:37462 <-> DISABLED <-> SERVER-WEBAPP WordPress Job Manager plugin cross site scripting attempt (server-webapp.rules)
 * 1:37461 <-> ENABLED <-> FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt (file-pdf.rules)
 * 1:37460 <-> ENABLED <-> FILE-PDF Adobe Reader Graphic State Parameter Dictionaries use after free attempt (file-pdf.rules)
 * 1:37459 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt (file-pdf.rules)
 * 1:37458 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType font representation decoding memory corruption attempt (file-pdf.rules)
 * 1:37457 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sovfo variant outbound connection attempt (malware-cnc.rules)
 * 1:37456 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oriontronproject.site11.com - Win.Trojan.Sovfo (blacklist.rules)
 * 1:37455 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (file-pdf.rules)
 * 1:37454 <-> ENABLED <-> FILE-PDF Adobe Acrobat CoolType malformed font memory corruption attempt (file-pdf.rules)
 * 1:37453 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox location.hostname DOM modification bypass attempt (browser-firefox.rules)
 * 1:37452 <-> DISABLED <-> FILE-IDENTIFY PESpin v0.3 packer file magic detected (file-identify.rules)
 * 1:37451 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt (file-pdf.rules)
 * 1:37450 <-> ENABLED <-> FILE-PDF Adobe Reader JPEG2000 chroma sub-pattern memory corruption attempt (file-pdf.rules)
 * 1:37449 <-> ENABLED <-> FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt (file-pdf.rules)
 * 1:37448 <-> ENABLED <-> FILE-PDF Adobe Acrobat U3D Bone Weight Modifier memory corruption attempt (file-pdf.rules)
 * 1:37447 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Evilgrab outbound connection (malware-cnc.rules)
 * 1:37446 <-> DISABLED <-> SERVER-OTHER BigAnt server USV command buffer overflow attempt (server-other.rules)
 * 1:37445 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Color Management Module buffer overflow attempt (os-windows.rules)
 * 1:37444 <-> DISABLED <-> SERVER-WEBAPP Roundcube Webmail index.php _skin directory traversal attempt (server-webapp.rules)
 * 1:37443 <-> DISABLED <-> SQL use of sleep function with select - likely SQL injection (sql.rules)
 * 1:37442 <-> ENABLED <-> FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt (file-other.rules)
 * 1:37441 <-> ENABLED <-> FILE-OTHER Adobe Flash Player javascript parsing cross site scripting attempt (file-other.rules)
 * 3:37439 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Manager getkvmurl.cgi command injection attempt (server-webapp.rules)
 * 3:37440 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Manager getkvmurl.cgi command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:21322 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:14608 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt (protocol-voip.rules)
 * 1:14609 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt (protocol-voip.rules)
 * 1:20387 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax rate management attribute buffer overflow attempt (protocol-voip.rules)
 * 1:21319 <-> DISABLED <-> FILE-FLASH Adobe Acrobat Flash Player version.dll dll-load exploit attempt (file-flash.rules)
 * 1:20388 <-> DISABLED <-> PROTOCOL-VOIP T.38 fax EC attribute buffer overflow attempt (protocol-voip.rules)
 * 1:37053 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt (malware-cnc.rules)
 * 1:7032 <-> DISABLED <-> APP-DETECT GoToMyPC startup (app-detect.rules)
 * 1:7033 <-> DISABLED <-> APP-DETECT GoToMyPC local service running (app-detect.rules)
 * 1:7034 <-> DISABLED <-> APP-DETECT GoToMyPC remote control attempt (app-detect.rules)