Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-03-17

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-office, indicator-obfuscation, malware-cnc, os-windows, protocol-dns, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-03-17 18:40:04 UTC

Snort Subscriber Rules Update

Date: 2016-03-17

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38268 <-> DISABLED <-> SERVER-APACHE 404 OK response (server-apache.rules)
 * 1:38267 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:38266 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:38264 <-> DISABLED <-> OS-WINDOWS DCERPC Direct detection of malicious DCE RPC request in suspicious pcap (os-windows.rules)
 * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38258 <-> ENABLED <-> MALWARE-CNC Win/Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38255 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38257 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38254 <-> ENABLED <-> EXPLOIT-KIT Known malicious redirection attempt (exploit-kit.rules)
 * 1:38251 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded script language declaration detected (indicator-obfuscation.rules)
 * 1:38252 <-> DISABLED <-> SERVER-WEBAPP AWStats awstats.cgi remote file include attempt (server-webapp.rules)
 * 1:38253 <-> DISABLED <-> SERVER-WEBAPP AWStats awstats.cgi remote file include attempt (server-webapp.rules)
 * 1:38250 <-> DISABLED <-> INDICATOR-OBFUSCATION HTML entity encoded ActiveX object instantiation detected (indicator-obfuscation.rules)
 * 1:38248 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack Server opcode 1329 buffer overflow attempt (server-other.rules)
 * 1:38249 <-> DISABLED <-> SERVER-WEBAPP Samsung Data Manager default password login attempt (server-webapp.rules)
 * 1:38261 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38262 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt (file-office.rules)
 * 1:38260 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38263 <-> DISABLED <-> SERVER-OTHER CUPS Filters command injection attempt (server-other.rules)
 * 1:38269 <-> DISABLED <-> SERVER-WEBAPP Netgear ReadyNAS Surveillance cgi_system command injection attempt (server-webapp.rules)
 * 1:38270 <-> DISABLED <-> SERVER-OTHER Wavelink Emulation License Server HTTP header overflow attempt (server-other.rules)
 * 1:38259 <-> ENABLED <-> MALWARE-CNC PowerShell Empire outbound request (malware-cnc.rules)
 * 1:38271 <-> DISABLED <-> SERVER-OTHER Wavelink Emulation License Server malicious URI code execution attempt (server-other.rules)

Modified Rules:


 * 1:13249 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 10/8 address detected (protocol-dns.rules)
 * 1:14644 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer createRange cross domain scripting (browser-ie.rules)
 * 1:15082 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word rtf malformed dpcallout buffer overflow attempt (file-office.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:15934 <-> DISABLED <-> PROTOCOL-DNS dns response for rfc1918 172.16/12 address detected (protocol-dns.rules)
 * 1:17124 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:19295 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word HTML linked objects memory corruption attempt (file-office.rules)
 * 1:29713 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:29714 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer overlapping object boundaries memory corruption attempt (browser-ie.rules)
 * 1:30789 <-> DISABLED <-> SERVER-WEBAPP Acunetix web vulnerability scanner fake URL exploit attempt (server-webapp.rules)
 * 1:35184 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:35185 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer meta tag double free attempt (browser-ie.rules)
 * 1:36922 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:36923 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37014 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)

2980