Talos Rules 2016-02-04
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-02-04 19:03:40 UTC

Snort Subscriber Rules Update

Date: 2016-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37531 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37550 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules)
 * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37545 <-> DISABLED <-> POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt (policy-other.rules)
 * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37549 <-> DISABLED <-> EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt (exploit-kit.rules)
 * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37528 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt (exploit-kit.rules)
 * 1:37529 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit iframe injection attempt (exploit-kit.rules)
 * 1:37534 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37530 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37546 <-> ENABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager connection attempt (server-other.rules)
 * 1:37548 <-> ENABLED <-> EXPLOIT-KIT Malicious iFrame redirection injection attempt (exploit-kit.rules)
 * 1:37547 <-> DISABLED <-> SERVER-WEBAPP eClinicalWorks portalUserService.jsp SQL injection attempt (server-webapp.rules)
 * 1:37536 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37535 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37551 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules)

Modified Rules:


 * 1:37516 <-> DISABLED <-> MALWARE-CNC MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:30963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:30961 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)

2016-02-04 19:03:39 UTC

Snort Subscriber Rules Update

Date: 2016-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37546 <-> ENABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager connection attempt (server-other.rules)
 * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37536 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37535 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37528 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt (exploit-kit.rules)
 * 1:37530 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37529 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit iframe injection attempt (exploit-kit.rules)
 * 1:37531 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37534 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37545 <-> DISABLED <-> POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt (policy-other.rules)
 * 1:37547 <-> DISABLED <-> SERVER-WEBAPP eClinicalWorks portalUserService.jsp SQL injection attempt (server-webapp.rules)
 * 1:37532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37551 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules)
 * 1:37549 <-> DISABLED <-> EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt (exploit-kit.rules)
 * 1:37550 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules)
 * 1:37548 <-> ENABLED <-> EXPLOIT-KIT Malicious iFrame redirection injection attempt (exploit-kit.rules)

Modified Rules:


 * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:37516 <-> DISABLED <-> MALWARE-CNC MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:30963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:30961 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)

2016-02-04 19:03:39 UTC

Snort Subscriber Rules Update

Date: 2016-02-04

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37551 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules)
 * 1:37550 <-> ENABLED <-> EXPLOIT-KIT Nuclear landing page detected (exploit-kit.rules)
 * 1:37549 <-> DISABLED <-> EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt (exploit-kit.rules)
 * 1:37548 <-> ENABLED <-> EXPLOIT-KIT Malicious iFrame redirection injection attempt (exploit-kit.rules)
 * 1:37547 <-> DISABLED <-> SERVER-WEBAPP eClinicalWorks portalUserService.jsp SQL injection attempt (server-webapp.rules)
 * 1:37546 <-> ENABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager connection attempt (server-other.rules)
 * 1:37545 <-> DISABLED <-> POLICY-OTHER Netcore/Netis firmware hard-coded backdoor account access attempt (policy-other.rules)
 * 1:37544 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37543 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37542 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37541 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37540 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37539 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge WebPartHelper ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37538 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37537 <-> DISABLED <-> BROWSER-PLUGINS Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37536 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37535 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37534 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Derusbi outbound connection (malware-cnc.rules)
 * 1:37533 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37532 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37531 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37530 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt (file-pdf.rules)
 * 1:37529 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit iframe injection attempt (exploit-kit.rules)
 * 1:37528 <-> ENABLED <-> EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt (exploit-kit.rules)

Modified Rules:


 * 1:37516 <-> DISABLED <-> MALWARE-CNC MALWARE-CNC Win.Trojan.Sality variant outbound connection (malware-cnc.rules)
 * 1:34371 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:34372 <-> ENABLED <-> FILE-OTHER Microsoft Journal memory corruption attempt (file-other.rules)
 * 1:33977 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:33978 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BrokerExtTextOutW invalid string and length parameter sandbox escape attempt (file-flash.rules)
 * 1:30961 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)
 * 1:30963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement use after free attempt (browser-ie.rules)