Talos Rules 2016-03-23
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-identify, file-other, indicator-shellcode, malware-backdoor, malware-cnc, netbios, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-03-23 21:31:42 UTC

Snort Subscriber Rules Update

Date: 2016-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38316 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38313 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38315 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38312 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38310 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38308 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38307 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38305 <-> ENABLED <-> EXPLOIT-KIT Angler Gate redirect attempt (exploit-kit.rules)
 * 1:37934 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 1:38304 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - JexBoss (blacklist.rules)
 * 1:38298 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.auhazard.com - SpywareJarl (blacklist.rules)
 * 1:38297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain agent.wizztrakys.com - SpywareJarl (blacklist.rules)
 * 1:38301 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.csdimonetize.com - SpywareJarl (blacklist.rules)
 * 1:38303 <-> DISABLED <-> SERVER-WEBAPP Bonita BPM themeResource directory traversal attempt (server-webapp.rules)
 * 1:38306 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38309 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38314 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38319 <-> DISABLED <-> NETBIOS SMB winreg named pipe creation attempt (netbios.rules)
 * 1:38299 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.wizzuniquify.com - SpywareJarl (blacklist.rules)
 * 1:38300 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wizzmonetize-factory-windows.wizzdevs.com - SpywareJarl (blacklist.rules)
 * 1:38329 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy initial connection attempt (malware-backdoor.rules)
 * 1:38328 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy connection attempt (malware-backdoor.rules)
 * 1:38291 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 1:38321 <-> DISABLED <-> NETBIOS SMB svcctl named pipe creation attempt (netbios.rules)
 * 1:38327 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg proxy read attempt (malware-backdoor.rules)
 * 1:38322 <-> DISABLED <-> NETBIOS SMB samr named pipe creation attempt (netbios.rules)
 * 1:38320 <-> DISABLED <-> NETBIOS SMB srvsvc named pipe creation attempt (netbios.rules)
 * 1:38292 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 3:38302 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCPv6 relay denial of service attempt (server-other.rules)

Modified Rules:


 * 1:21516 <-> ENABLED <-> SERVER-WEBAPP JBoss JMX console access attempt (server-webapp.rules)
 * 1:1394 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ecx NOOP (indicator-shellcode.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)
 * 1:30938 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Roopre outbound connection (malware-cnc.rules)
 * 1:29909 <-> ENABLED <-> SERVER-OTHER JBoss JMXInvokerServlet remote code execution attempt (server-other.rules)
 * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)
 * 1:24342 <-> ENABLED <-> SERVER-WEBAPP JBoss web console access attempt (server-webapp.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:21517 <-> ENABLED <-> SERVER-WEBAPP JBoss admin-console access (server-webapp.rules)

2016-03-23 21:31:42 UTC

Snort Subscriber Rules Update

Date: 2016-03-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38329 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy initial connection attempt (malware-backdoor.rules)
 * 1:38328 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg socks proxy connection attempt (malware-backdoor.rules)
 * 1:38327 <-> ENABLED <-> MALWARE-BACKDOOR ReGeorg proxy read attempt (malware-backdoor.rules)
 * 1:38322 <-> DISABLED <-> NETBIOS SMB samr named pipe creation attempt (netbios.rules)
 * 1:38321 <-> DISABLED <-> NETBIOS SMB svcctl named pipe creation attempt (netbios.rules)
 * 1:38320 <-> DISABLED <-> NETBIOS SMB srvsvc named pipe creation attempt (netbios.rules)
 * 1:38319 <-> DISABLED <-> NETBIOS SMB winreg named pipe creation attempt (netbios.rules)
 * 1:38318 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38317 <-> ENABLED <-> FILE-OTHER Microsoft Edge Chakra JavaScript engine out of bounds read attempt (file-other.rules)
 * 1:38316 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38315 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38314 <-> DISABLED <-> SERVER-WEBAPP Borland AccuRev Reprise License Server directory traversal attempt (server-webapp.rules)
 * 1:38313 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38312 <-> ENABLED <-> SERVER-OTHER Redis lua script integer overflow attempt (server-other.rules)
 * 1:38311 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38310 <-> ENABLED <-> FILE-FLASH Adobe Flash Player integer underflow attempt (file-flash.rules)
 * 1:38309 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38308 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:38307 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38306 <-> ENABLED <-> FILE-IDENTIFY DMG com.apple.decmpfs file magic detected (file-identify.rules)
 * 1:38305 <-> ENABLED <-> EXPLOIT-KIT Angler Gate redirect attempt (exploit-kit.rules)
 * 1:38304 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string - JexBoss (blacklist.rules)
 * 1:38303 <-> DISABLED <-> SERVER-WEBAPP Bonita BPM themeResource directory traversal attempt (server-webapp.rules)
 * 1:38301 <-> ENABLED <-> BLACKLIST DNS request for known malware domain www.csdimonetize.com - SpywareJarl (blacklist.rules)
 * 1:38300 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wizzmonetize-factory-windows.wizzdevs.com - SpywareJarl (blacklist.rules)
 * 1:38299 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.wizzuniquify.com - SpywareJarl (blacklist.rules)
 * 1:38298 <-> ENABLED <-> BLACKLIST DNS request for known malware domain dl.auhazard.com - SpywareJarl (blacklist.rules)
 * 1:38297 <-> ENABLED <-> BLACKLIST DNS request for known malware domain agent.wizztrakys.com - SpywareJarl (blacklist.rules)
 * 1:38292 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 1:38291 <-> ENABLED <-> FILE-IDENTIFY UDF file magic detected (file-identify.rules)
 * 1:37934 <-> DISABLED <-> PROTOCOL-FTP Computer Associates eTrust Secure Content Manager LIST stack overflow attempt (protocol-ftp.rules)
 * 3:38302 <-> ENABLED <-> SERVER-OTHER Cisco IOS DHCPv6 relay denial of service attempt (server-other.rules)

Modified Rules:


 * 1:21516 <-> ENABLED <-> SERVER-WEBAPP JBoss JMX console access attempt (server-webapp.rules)
 * 1:24342 <-> ENABLED <-> SERVER-WEBAPP JBoss web console access attempt (server-webapp.rules)
 * 1:24343 <-> ENABLED <-> SERVER-WEBAPP JBoss JMXInvokerServlet access attempt (server-webapp.rules)
 * 1:29909 <-> ENABLED <-> SERVER-OTHER JBoss JMXInvokerServlet remote code execution attempt (server-other.rules)
 * 1:30938 <-> ENABLED <-> MALWARE-CNC Linux.Trojan.Roopre outbound connection (malware-cnc.rules)
 * 1:34194 <-> ENABLED <-> SERVER-WEBAPP RevSlider information disclosure attempt (server-webapp.rules)
 * 1:38228 <-> ENABLED <-> EXPLOIT-KIT Angler EK landing page URI request attempt (exploit-kit.rules)
 * 1:21517 <-> ENABLED <-> SERVER-WEBAPP JBoss admin-console access (server-webapp.rules)
 * 1:1394 <-> DISABLED <-> INDICATOR-SHELLCODE x86 inc ecx NOOP (indicator-shellcode.rules)