Talos Rules 2016-02-11
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-other, malware-cnc, malware-tools, os-linux, os-windows, pua-adware, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-02-11 15:11:57 UTC

Snort Subscriber Rules Update

Date: 2016-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37625 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:37635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)
 * 1:37632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37654 <-> DISABLED <-> OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (os-linux.rules)
 * 1:36903 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:37637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:37638 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37639 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37640 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37641 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37643 <-> DISABLED <-> SQL Oracle e-Business Suite ORACLESSWA SQL injection attempt (sql.rules)
 * 1:37642 <-> DISABLED <-> PUA-ADWARE Win.Adware.Dealply outbound POST attempt (pua-adware.rules)
 * 1:37644 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:37645 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:37631 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant dropper download connection (malware-cnc.rules)
 * 1:37647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:37648 <-> DISABLED <-> SQL Oracle e-Business Suite JTF_BISUTILITY_PUB SQL injection attempt (sql.rules)
 * 1:37649 <-> DISABLED <-> FILE-OTHER Sophos Anti-Virus reserved device name handling vulnerability attempt (file-other.rules)
 * 1:37651 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37650 <-> DISABLED <-> FILE-OTHER CA BrightStor stack buffer overflow attempt (file-other.rules)
 * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)

Modified Rules:


 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:15192 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules)
 * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:34874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules)
 * 1:37016 <-> ENABLED <-> EXPLOIT-KIT DoloMalo exploit kit packer detected (exploit-kit.rules)
 * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules)

2016-02-11 15:11:57 UTC

Snort Subscriber Rules Update

Date: 2016-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:37635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)
 * 1:37630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37631 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:36903 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37625 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:37637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:37638 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37639 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37640 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37642 <-> DISABLED <-> PUA-ADWARE Win.Adware.Dealply outbound POST attempt (pua-adware.rules)
 * 1:37641 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37643 <-> DISABLED <-> SQL Oracle e-Business Suite ORACLESSWA SQL injection attempt (sql.rules)
 * 1:37644 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:37645 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:37647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:37646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant dropper download connection (malware-cnc.rules)
 * 1:37648 <-> DISABLED <-> SQL Oracle e-Business Suite JTF_BISUTILITY_PUB SQL injection attempt (sql.rules)
 * 1:37649 <-> DISABLED <-> FILE-OTHER Sophos Anti-Virus reserved device name handling vulnerability attempt (file-other.rules)
 * 1:37650 <-> DISABLED <-> FILE-OTHER CA BrightStor stack buffer overflow attempt (file-other.rules)
 * 1:37634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37654 <-> DISABLED <-> OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (os-linux.rules)
 * 1:37651 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)

Modified Rules:


 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:15192 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules)
 * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:34874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules)
 * 1:37016 <-> ENABLED <-> EXPLOIT-KIT DoloMalo exploit kit packer detected (exploit-kit.rules)
 * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules)

2016-02-11 15:11:57 UTC

Snort Subscriber Rules Update

Date: 2016-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37654 <-> DISABLED <-> OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt (os-linux.rules)
 * 1:37653 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37652 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadPCMFromByteArray exception null pointer access attempt (file-flash.rules)
 * 1:37651 <-> DISABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37650 <-> DISABLED <-> FILE-OTHER CA BrightStor stack buffer overflow attempt (file-other.rules)
 * 1:37649 <-> DISABLED <-> FILE-OTHER Sophos Anti-Virus reserved device name handling vulnerability attempt (file-other.rules)
 * 1:37648 <-> DISABLED <-> SQL Oracle e-Business Suite JTF_BISUTILITY_PUB SQL injection attempt (sql.rules)
 * 1:37647 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant outbound connection (malware-cnc.rules)
 * 1:37646 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Symmi variant dropper download connection (malware-cnc.rules)
 * 1:37645 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:37644 <-> ENABLED <-> FILE-FLASH Adobe Flash copyPixelsToByteArray integer overflow attempt (file-flash.rules)
 * 1:37643 <-> DISABLED <-> SQL Oracle e-Business Suite ORACLESSWA SQL injection attempt (sql.rules)
 * 1:37642 <-> DISABLED <-> PUA-ADWARE Win.Adware.Dealply outbound POST attempt (pua-adware.rules)
 * 1:37641 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37640 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37639 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37638 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:37637 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:37636 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Graftor outbound connection attempt (malware-cnc.rules)
 * 1:37635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SPNEGO ASN.1 library heap corruption overflow attempt (os-windows.rules)
 * 1:37634 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37633 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:37632 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37631 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37630 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37629 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:37628 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:37627 <-> DISABLED <-> FILE-FLASH Adobe Flash Player ByteArray domainMemory use after free attempt (file-flash.rules)
 * 1:37626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox IDL fragment privilege escalation attempt (browser-firefox.rules)
 * 1:37625 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36903 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:12710 <-> DISABLED <-> SERVER-OTHER ASN.1 constructed bit string (server-other.rules)
 * 1:15192 <-> DISABLED <-> BROWSER-PLUGINS SizerOne ActiveX clsid access attempt (browser-plugins.rules)
 * 1:30794 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:30803 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:31380 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:31381 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer 11 onpropertychange remote code execution attempt (browser-ie.rules)
 * 1:32611 <-> DISABLED <-> SERVER-WEBAPP phpMemcachedAdmin path traversal attempt (server-webapp.rules)
 * 1:33665 <-> ENABLED <-> SERVER-OTHER HP Client Automation command injection attempt (server-other.rules)
 * 1:34873 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:34874 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextElement use after free attempt (browser-ie.rules)
 * 1:36286 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit browser detection attempt (exploit-kit.rules)
 * 1:37016 <-> ENABLED <-> EXPLOIT-KIT DoloMalo exploit kit packer detected (exploit-kit.rules)
 * 3:36153 <-> ENABLED <-> SERVER-OTHER IBM Domino LDAP server ModifyRequest stack buffer overflow attempt (server-other.rules)