Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-02-13

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, file-flash, file-java, file-multimedia, file-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2016-02-13 18:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37672 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37669 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37674 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37659 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37668 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37660 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37658 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37663 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:37657 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37662 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37666 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37667 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37670 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37661 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 3:37676 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:29979 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager Unauthenticated XML External Entity Injection attempt (server-webapp.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:19956 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)

2976

2016-02-13 18:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37660 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37658 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37657 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37661 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37662 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37663 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37666 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37667 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37668 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37670 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37669 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37674 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37659 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37672 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:37676 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29979 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager Unauthenticated XML External Entity Injection attempt (server-webapp.rules)
 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)
 * 1:19956 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)

2980

2016-02-13 18:11:05 UTC

Snort Subscriber Rules Update

Date: 2016-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37674 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 1:37673 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37672 <-> DISABLED <-> FILE-FLASH Adobe Flash Player heap object address enumeration technique (file-flash.rules)
 * 1:37671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37670 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37669 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37668 <-> ENABLED <-> FILE-FLASH Adobe Flash Player convolution filter use-after-free attempt (file-flash.rules)
 * 1:37667 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37666 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector arbitrary command execution attempt (server-other.rules)
 * 1:37665 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37664 <-> ENABLED <-> FILE-JAVA Oracle Java ServiceLoader exception handling exploit attempt (file-java.rules)
 * 1:37663 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:37662 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37661 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37660 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37659 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37658 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37657 <-> DISABLED <-> SERVER-WEBAPP Headline Portal Engine HPEInc remote file include attempt (server-webapp.rules)
 * 1:37656 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 1:37655 <-> DISABLED <-> OS-WINDOWS Microsoft .NET Framework XSLT parser stack exhaustion attempt (os-windows.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:37676 <-> ENABLED <-> SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:29979 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection Manager Unauthenticated XML External Entity Injection attempt (server-webapp.rules)
 * 1:19956 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Movie Maker project file heap buffer overflow attempt (file-multimedia.rules)
 * 1:34389 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:34390 <-> ENABLED <-> FILE-OTHER Microsoft Journal out of bounds read attempt (file-other.rules)
 * 1:36662 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA ActiveX clsid access (browser-plugins.rules)
 * 1:36640 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess SCADA webdact.ocx AccessCode ActiveX clsid access attempt (browser-plugins.rules)