Talos Rules 2016-03-17
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-office, indicator-obfuscation, malware-cnc, os-windows, protocol-dns, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-03-17 18:40:04 UTC

Snort Subscriber Rules Update

Date: 2016-03-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38268 <-> DISABLED <-> SERVER-APACHE 404 OK response (server-apache.rules)
 * 1:38267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:38266 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:38264 <-> DISABLED <-> OS-WINDOWS DCERPC Direct detection of malicious DCE RPC request in suspicious pcap (os-windows.rules)
 * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38258 <-> ENABLED <-> MALWARE-CNC Win/Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38255 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38257 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38254 <-> ENABLED <-> EXPLOIT-KIT Known malicious redirection attempt (exploit-kit.rules)
 * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (indicator-obfuscation.rules)
 * 1:38252 <-> DISABLED <-> SERVER-WEBAPP AWStats awstats.cgi remote file include attempt (server-webapp.rules)
 * 1:38253 <-> DISABLED <-> SERVER-WEBAPP AWStats awstats.cgi remote file include attempt (server-webapp.rules)
 * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (indicator-obfuscation.rules)
 * 1:38248 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1329 buffer overflow attempt (server-other.rules)
 * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (server-webapp.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38262 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt (file-office.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38263 <-> DISABLED <-> SERVER-OTHER CUPS Filters command injection attempt (server-other.rules)
 * 1:38269 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt (server-webapp.rules)
 * 1:38270 <-> DISABLED <-> SERVER-OTHER Wavelink Emulation License Server HTTP header overflow attempt (server-other.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38271 <-> DISABLED <-> SERVER-OTHER Wavelink Emulation License Server malicious URI code execution attempt (server-other.rules)

Modified Rules:


 * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules)
 * 1:14644 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer createRange cross domain scripting (browser-ie.rules)
 * 1:15082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt (file-office.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:15934 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected (protocol-dns.rules)
 * 1:17124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:19295 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:29713 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:29714 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:30789 <-> DISABLED <-> SERVER-WEBAPP Acunetix web vulnerability scanner fake URL exploit attempt (server-webapp.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)

2016-03-17 18:40:04 UTC

Snort Subscriber Rules Update

Date: 2016-03-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38271 <-> DISABLED <-> SERVER-OTHER Wavelink Emulation License Server malicious URI code execution attempt (server-other.rules)
 * 1:38270 <-> DISABLED <-> SERVER-OTHER Wavelink Emulation License Server HTTP header overflow attempt (server-other.rules)
 * 1:38269 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt (server-webapp.rules)
 * 1:38268 <-> DISABLED <-> SERVER-APACHE 404 OK response (server-apache.rules)
 * 1:38267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:38266 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:38264 <-> DISABLED <-> OS-WINDOWS DCERPC Direct detection of malicious DCE RPC request in suspicious pcap (os-windows.rules)
 * 1:38263 <-> DISABLED <-> SERVER-OTHER CUPS Filters command injection attempt (server-other.rules)
 * 1:38262 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt (file-office.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38258 <-> ENABLED <-> MALWARE-CNC Win/Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38257 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38255 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38254 <-> ENABLED <-> EXPLOIT-KIT Known malicious redirection attempt (exploit-kit.rules)
 * 1:38253 <-> DISABLED <-> SERVER-WEBAPP AWStats awstats.cgi remote file include attempt (server-webapp.rules)
 * 1:38252 <-> DISABLED <-> SERVER-WEBAPP AWStats awstats.cgi remote file include attempt (server-webapp.rules)
 * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (indicator-obfuscation.rules)
 * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (indicator-obfuscation.rules)
 * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (server-webapp.rules)
 * 1:38248 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1329 buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules)
 * 1:14644 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer createRange cross domain scripting (browser-ie.rules)
 * 1:15082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt (file-office.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:15934 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected (protocol-dns.rules)
 * 1:17124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:19295 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:29713 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:29714 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:30789 <-> DISABLED <-> SERVER-WEBAPP Acunetix web vulnerability scanner fake URL exploit attempt (server-webapp.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)