Talos Rules 2016-02-25
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-02-25 15:02:31 UTC

Snort Subscriber Rules Update

Date: 2016-02-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37855 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37857 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37856 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37854 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 3:37853 <-> ENABLED <-> SERVER-WEBAPP Cisco ACE A5 trace.vm command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35752 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt (file-image.rules)
 * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:35751 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt (file-image.rules)

2016-02-25 15:02:31 UTC

Snort Subscriber Rules Update

Date: 2016-02-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37855 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37854 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37856 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37857 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 3:37853 <-> ENABLED <-> SERVER-WEBAPP Cisco ACE A5 trace.vm command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:35752 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt (file-image.rules)
 * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:35751 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt (file-image.rules)

2016-02-25 15:02:31 UTC

Snort Subscriber Rules Update

Date: 2016-02-25

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37857 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37856 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37855 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 1:37854 <-> DISABLED <-> SERVER-WEBAPP D-Link DSL router cross site scripting attempt (server-webapp.rules)
 * 3:37853 <-> ENABLED <-> SERVER-WEBAPP Cisco ACE A5 trace.vm command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:33021 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:35751 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt (file-image.rules)
 * 1:35752 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat GIF to PDF conversion heap overflow attempt (file-image.rules)
 * 1:33018 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:33019 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)
 * 1:33020 <-> DISABLED <-> BROWSER-IE Oracle WebCenter BlackIceDevMode ActiveX clsid access attempt (browser-ie.rules)