Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-02-16

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-office, malware-cnc, malware-tools, netbios, policy-other, protocol-pop and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2016-02-16 16:32:35 UTC

Snort Subscriber Rules Update

Date: 2016-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37677 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37683 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable pop3.stat flowbit (policy-other.rules)
 * 1:37682 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit (policy-other.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37681 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit (policy-other.rules)
 * 1:37685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound POST attempt (malware-cnc.rules)
 * 1:37684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37687 <-> ENABLED <-> SERVER-WEBAPP Oracle e-Business Suite HR_UTIL_DISP_WEB SQL injection attempt (server-webapp.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)

Modified Rules:


 * 1:9431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook Express NNTP response overflow attempt (file-office.rules)
 * 1:37018 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)
 * 1:28435 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16594 <-> DISABLED <-> PROTOCOL-POP STAT command (protocol-pop.rules)
 * 1:36636 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:16381 <-> DISABLED <-> NETBIOS SMB session negotiation request (netbios.rules)
 * 1:6010 <-> DISABLED <-> SERVER-OTHER VERITAS NetBackup vnetd connection attempt (server-other.rules)
 * 1:37651 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37019 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)

2976

2016-02-16 16:32:35 UTC

Snort Subscriber Rules Update

Date: 2016-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37682 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit (policy-other.rules)
 * 1:37683 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable pop3.stat flowbit (policy-other.rules)
 * 1:37681 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit (policy-other.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37677 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37687 <-> ENABLED <-> SERVER-WEBAPP Oracle e-Business Suite HR_UTIL_DISP_WEB SQL injection attempt (server-webapp.rules)
 * 1:37686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound POST attempt (malware-cnc.rules)

Modified Rules:


 * 1:6010 <-> DISABLED <-> SERVER-OTHER VERITAS NetBackup vnetd connection attempt (server-other.rules)
 * 1:16381 <-> DISABLED <-> NETBIOS SMB session negotiation request (netbios.rules)
 * 1:36636 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:37018 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:28435 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16594 <-> DISABLED <-> PROTOCOL-POP STAT command (protocol-pop.rules)
 * 1:9431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook Express NNTP response overflow attempt (file-office.rules)
 * 1:37651 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37019 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)

2980

2016-02-16 16:32:35 UTC

Snort Subscriber Rules Update

Date: 2016-02-16

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37687 <-> ENABLED <-> SERVER-WEBAPP Oracle e-Business Suite HR_UTIL_DISP_WEB SQL injection attempt (server-webapp.rules)
 * 1:37686 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound POST attempt (malware-cnc.rules)
 * 1:37685 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37684 <-> ENABLED <-> FILE-FLASH Adobe Flash Player worker shared object user-after-free attempt (file-flash.rules)
 * 1:37683 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable pop3.stat flowbit (policy-other.rules)
 * 1:37682 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable smb.session.negotiate flowbit (policy-other.rules)
 * 1:37681 <-> DISABLED <-> POLICY-OTHER junk rule to autoenable vnetd.bpspsserver.connection flowbit (policy-other.rules)
 * 1:37680 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37679 <-> ENABLED <-> FILE-FLASH Adobe Flash player ASNative textField use after free attempt (file-flash.rules)
 * 1:37678 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:37677 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:36636 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit index uri request attempt (exploit-kit.rules)
 * 1:37018 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)
 * 1:28436 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36635 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:16594 <-> DISABLED <-> PROTOCOL-POP STAT command (protocol-pop.rules)
 * 1:28435 <-> DISABLED <-> BROWSER-PLUGINS IBM SPSS SamplePower ActiveX clsid access attempt (browser-plugins.rules)
 * 1:16381 <-> DISABLED <-> NETBIOS SMB session negotiation request (netbios.rules)
 * 1:9431 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook Express NNTP response overflow attempt (file-office.rules)
 * 1:6010 <-> DISABLED <-> SERVER-OTHER VERITAS NetBackup vnetd connection attempt (server-other.rules)
 * 1:37651 <-> ENABLED <-> MALWARE-TOOLS Win.Trojan.Downloader outbound connection attempt (malware-tools.rules)
 * 1:37019 <-> DISABLED <-> SERVER-WEBAPP wordpress kses bypass cross site scripting attempt (server-webapp.rules)