Talos Rules 2016-02-13
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-flash, file-java, file-multimedia, file-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-02-13 18:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37672 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37669 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37674 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37659 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37668 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37660 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37658 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37663 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:37657 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37662 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37666 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37667 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37670 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37661 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 3:37676 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29979 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager Unauthenticated XML External Entity Injection attempt (server-webapp.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:19956 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)

2016-02-13 18:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37660 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37658 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37657 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37661 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37662 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37663 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37666 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37667 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37668 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37670 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37669 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37674 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37659 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37672 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:37676 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29979 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager Unauthenticated XML External Entity Injection attempt (server-webapp.rules)
 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:19956 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)

2016-02-13 18:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37674 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37672 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37670 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37669 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37668 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37667 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37666 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37663 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:37662 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37661 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37660 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37659 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37658 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37657 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:37676 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29979 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager Unauthenticated XML External Entity Injection attempt (server-webapp.rules)
 * 1:19956 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)