Talos Rules 2016-03-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-identify, file-other, indicator-shellcode, malware-backdoor, malware-cnc, netbios, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-03-23 21:31:42 UTC

Snort Subscriber Rules Update

Date: 2016-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38316 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38313 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38315 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38312 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38310 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38308 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38307 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38305 <-> ENABLED <-> EXPLOIT-KIT Angler Gate redirect attempt (exploit-kit.rules)
 * 1:37934 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 1:38304 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - JexBoss (blacklist.rules)
 * 1:38298 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.auhazard.com - SpywareJarl (blacklist.rules)
 * 1:38297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain agent.wizztrakys.com - SpywareJarl (blacklist.rules)
 * 1:38301 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.csdimonetize.com - SpywareJarl (blacklist.rules)
 * 1:38303 <-> DISABLED <-> SERVER-WEBAPP Bonita BPM themeResource directory traversal attempt (server-webapp.rules)
 * 1:38306 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38309 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38314 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38319 <-> DISABLED <-> NETBIOS SMB winreg named pipe creation attempt (netbios.rules)
 * 1:38299 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.wizzuniquify.com - SpywareJarl (blacklist.rules)
 * 1:38300 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wizzmonetize-factory-windows.wizzdevs.com - SpywareJarl (blacklist.rules)
 * 1:38329 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy initial connection attempt (malware-backdoor.rules)
 * 1:38328 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy connection attempt (malware-backdoor.rules)
 * 1:38291 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 1:38321 <-> DISABLED <-> NETBIOS SMB svcctl named pipe creation attempt (netbios.rules)
 * 1:38327 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg proxy read attempt (malware-backdoor.rules)
 * 1:38322 <-> DISABLED <-> NETBIOS SMB samr named pipe creation attempt (netbios.rules)
 * 1:38320 <-> DISABLED <-> NETBIOS SMB srvsvc named pipe creation attempt (netbios.rules)
 * 1:38292 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 3:38302 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCPv6 relay denial of service attempt (server-other.rules)

Modified Rules:


 * 1:21516 <-> ENABLED <-> SERVER-WEBAPP JBoss JMX console access attempt (server-webapp.rules)
 * 1:1394 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ecx NOOP (indicator-shellcode.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)
 * 1:30938 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Roopre outbound connection (malware-cnc.rules)
 * 1:29909 <-> ENABLED <-> SERVER-OTHER JBoss JMXInvokerServlet remote code execution attempt (server-other.rules)
 * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)
 * 1:24342 <-> ENABLED <-> SERVER-WEBAPP JBoss web console access attempt (server-webapp.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:21517 <-> ENABLED <-> SERVER-WEBAPP JBoss admin-console access (server-webapp.rules)

2980

2016-03-23 21:31:42 UTC

Snort Subscriber Rules Update

Date: 2016-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38329 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy initial connection attempt (malware-backdoor.rules)
 * 1:38328 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy connection attempt (malware-backdoor.rules)
 * 1:38327 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg proxy read attempt (malware-backdoor.rules)
 * 1:38322 <-> DISABLED <-> NETBIOS SMB samr named pipe creation attempt (netbios.rules)
 * 1:38321 <-> DISABLED <-> NETBIOS SMB svcctl named pipe creation attempt (netbios.rules)
 * 1:38320 <-> DISABLED <-> NETBIOS SMB srvsvc named pipe creation attempt (netbios.rules)
 * 1:38319 <-> DISABLED <-> NETBIOS SMB winreg named pipe creation attempt (netbios.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38316 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38315 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38314 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38313 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38312 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38310 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38309 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38308 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38307 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38306 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38305 <-> ENABLED <-> EXPLOIT-KIT Angler Gate redirect attempt (exploit-kit.rules)
 * 1:38304 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - JexBoss (blacklist.rules)
 * 1:38303 <-> DISABLED <-> SERVER-WEBAPP Bonita BPM themeResource directory traversal attempt (server-webapp.rules)
 * 1:38301 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.csdimonetize.com - SpywareJarl (blacklist.rules)
 * 1:38300 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wizzmonetize-factory-windows.wizzdevs.com - SpywareJarl (blacklist.rules)
 * 1:38299 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.wizzuniquify.com - SpywareJarl (blacklist.rules)
 * 1:38298 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.auhazard.com - SpywareJarl (blacklist.rules)
 * 1:38297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain agent.wizztrakys.com - SpywareJarl (blacklist.rules)
 * 1:38292 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 1:38291 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 1:37934 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 3:38302 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCPv6 relay denial of service attempt (server-other.rules)

Modified Rules:


 * 1:21516 <-> ENABLED <-> SERVER-WEBAPP JBoss JMX console access attempt (server-webapp.rules)
 * 1:24342 <-> ENABLED <-> SERVER-WEBAPP JBoss web console access attempt (server-webapp.rules)
 * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)
 * 1:29909 <-> ENABLED <-> SERVER-OTHER JBoss JMXInvokerServlet remote code execution attempt (server-other.rules)
 * 1:30938 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Roopre outbound connection (malware-cnc.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)
 * 1:21517 <-> ENABLED <-> SERVER-WEBAPP JBoss admin-console access (server-webapp.rules)
 * 1:1394 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ecx NOOP (indicator-shellcode.rules)