Talos Rules 2016-02-16
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-office, malware-cnc, malware-tools, netbios, policy-other, protocol-pop and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-02-16 16:32:35 UTC

Snort Subscriber Rules Update

Date: 2016-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37677 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37683 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable pop3.stat flowbit (policy-other.rules)
 * 1:37682 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit (policy-other.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37681 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit (policy-other.rules)
 * 1:37685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound POST attempt (malware-cnc.rules)
 * 1:37684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37687 <-> ENABLED <-> SERVER-WEBAPP Oracle e-Business Suite HR_UTIL_DISP_WEB SQL injection attempt (server-webapp.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)

Modified Rules:


 * 1:9431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook Express NNTP response overflow attempt (file-office.rules)
 * 1:37018 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)
 * 1:28435 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16594 <-> DISABLED <-> PROTOCOL-POP STAT command (protocol-pop.rules)
 * 1:36636 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:16381 <-> DISABLED <-> NETBIOS SMB session negotiation request (netbios.rules)
 * 1:6010 <-> DISABLED <-> SERVER-OTHER VERITAS NetBackup vnetd connection attempt (server-other.rules)
 * 1:37651 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37019 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)

2016-02-16 16:32:35 UTC

Snort Subscriber Rules Update

Date: 2016-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37682 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit (policy-other.rules)
 * 1:37683 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable pop3.stat flowbit (policy-other.rules)
 * 1:37681 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit (policy-other.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37677 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37687 <-> ENABLED <-> SERVER-WEBAPP Oracle e-Business Suite HR_UTIL_DISP_WEB SQL injection attempt (server-webapp.rules)
 * 1:37686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound POST attempt (malware-cnc.rules)

Modified Rules:


 * 1:6010 <-> DISABLED <-> SERVER-OTHER VERITAS NetBackup vnetd connection attempt (server-other.rules)
 * 1:16381 <-> DISABLED <-> NETBIOS SMB session negotiation request (netbios.rules)
 * 1:36636 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:37018 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:28435 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16594 <-> DISABLED <-> PROTOCOL-POP STAT command (protocol-pop.rules)
 * 1:9431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook Express NNTP response overflow attempt (file-office.rules)
 * 1:37651 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37019 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)

2016-02-16 16:32:35 UTC

Snort Subscriber Rules Update

Date: 2016-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37687 <-> ENABLED <-> SERVER-WEBAPP Oracle e-Business Suite HR_UTIL_DISP_WEB SQL injection attempt (server-webapp.rules)
 * 1:37686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound POST attempt (malware-cnc.rules)
 * 1:37685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37683 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable pop3.stat flowbit (policy-other.rules)
 * 1:37682 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit (policy-other.rules)
 * 1:37681 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit (policy-other.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37677 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:36636 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:37018 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:16594 <-> DISABLED <-> PROTOCOL-POP STAT command (protocol-pop.rules)
 * 1:28435 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16381 <-> DISABLED <-> NETBIOS SMB session negotiation request (netbios.rules)
 * 1:9431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook Express NNTP response overflow attempt (file-office.rules)
 * 1:6010 <-> DISABLED <-> SERVER-OTHER VERITAS NetBackup vnetd connection attempt (server-other.rules)
 * 1:37651 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37019 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)