Talos Rules 2016-03-29
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, exploit-kit, file-executable, file-image, file-java, indicator-obfuscation, malware-cnc, malware-other, os-linux, os-other, policy-other, protocol-dns, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-03-29 14:39:43 UTC

Snort Subscriber Rules Update

Date: 2016-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:38348 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:38360 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38361 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38362 <-> DISABLED <-> BROWSER-OTHER HTTP Evader ICY header evasion attempt (browser-other.rules)
 * 1:38363 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:38364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:38349 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:38351 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt (server-webapp.rules)
 * 1:38350 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules)
 * 3:38346 <-> ENABLED <-> OS-LINUX Linux kernel SCTP INIT null pointer dereference attempt (os-linux.rules)
 * 3:38347 <-> ENABLED <-> FILE-EXECUTABLE PHP libmagic PE out of bounds memory access attempt (file-executable.rules)

Modified Rules:


 * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules)
 * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules)
 * 1:24737 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:25121 <-> ENABLED <-> FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt (file-java.rules)
 * 1:6697 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt (file-image.rules)
 * 1:24328 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24327 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24330 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:18710 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules)
 * 1:23790 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt (browser-firefox.rules)
 * 1:24325 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24326 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24324 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:16561 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1  (file-image.rules)
 * 1:24333 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24332 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:6405 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules)
 * 1:36798 <-> ENABLED <-> EXPLOIT-KIT GongDa landing page detected (exploit-kit.rules)
 * 1:24996 <-> DISABLED <-> SERVER-OTHER Free Software Foundation GnuTLS record application integer overflow attempt (server-other.rules)
 * 1:27244 <-> ENABLED <-> SERVER-APACHE Apache Struts2 blacklisted method redirect (server-apache.rules)
 * 1:28985 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download (malware-cnc.rules)
 * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:31455 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:31985 <-> ENABLED <-> OS-OTHER Malicious DHCP server bash environment variable injection attempt (os-other.rules)
 * 1:24331 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules)
 * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)

2016-03-29 14:39:43 UTC

Snort Subscriber Rules Update

Date: 2016-03-29

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:38363 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer deleted button use after free attempt (browser-ie.rules)
 * 1:38362 <-> DISABLED <-> BROWSER-OTHER HTTP Evader ICY header evasion attempt (browser-other.rules)
 * 1:38361 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38360 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Samas variant download attempt (malware-other.rules)
 * 1:38359 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials (malware-cnc.rules)
 * 1:38358 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (malware-cnc.rules)
 * 1:38357 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials (malware-cnc.rules)
 * 1:38356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant read logs (malware-cnc.rules)
 * 1:38355 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive (malware-cnc.rules)
 * 1:38354 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs (malware-cnc.rules)
 * 1:38353 <-> DISABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup (malware-cnc.rules)
 * 1:38352 <-> ENABLED <-> MALWARE-CNC Win.Trojan.NetWiredRC variant check logs (malware-cnc.rules)
 * 1:38351 <-> DISABLED <-> SERVER-WEBAPP Cisco Prime Data Center Network Manager processImageSave.jsp directory traversal attempt (server-webapp.rules)
 * 1:38350 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules)
 * 1:38349 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules)
 * 1:38348 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules)
 * 3:38346 <-> ENABLED <-> OS-LINUX Linux kernel SCTP INIT null pointer dereference attempt (os-linux.rules)
 * 3:38347 <-> ENABLED <-> FILE-EXECUTABLE PHP libmagic PE out of bounds memory access attempt (file-executable.rules)

Modified Rules:


 * 1:24330 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24327 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24328 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24325 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24326 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:23790 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Multiple Products table frames memory corruption attempt (browser-firefox.rules)
 * 1:24324 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:18710 <-> DISABLED <-> SERVER-OTHER McAfee ePolicy Orchestrator Framework Services buffer overflow attempt (server-other.rules)
 * 1:16561 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS4 TIFF file exploit attempt - 1  (file-image.rules)
 * 1:7070 <-> DISABLED <-> POLICY-OTHER script tag in URI - likely cross-site scripting attempt (policy-other.rules)
 * 1:6697 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Media Player Malformed PNG detected sPLT overflow attempt (file-image.rules)
 * 1:6405 <-> DISABLED <-> SERVER-OTHER Veritas NetBackup Volume Manager overflow attempt (server-other.rules)
 * 1:36798 <-> ENABLED <-> EXPLOIT-KIT GongDa landing page detected (exploit-kit.rules)
 * 1:32639 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port (exploit-kit.rules)
 * 1:31985 <-> ENABLED <-> OS-OTHER Malicious DHCP server bash environment variable injection attempt (os-other.rules)
 * 1:31455 <-> DISABLED <-> EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request (exploit-kit.rules)
 * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:28985 <-> ENABLED <-> MALWARE-CNC Win.Worm.Steckt IRCbot executable download (malware-cnc.rules)
 * 1:27244 <-> ENABLED <-> SERVER-APACHE Apache Struts2 blacklisted method redirect (server-apache.rules)
 * 1:26568 <-> DISABLED <-> INDICATOR-OBFUSCATION eval of base64-encoded data (indicator-obfuscation.rules)
 * 1:26566 <-> DISABLED <-> INDICATOR-OBFUSCATION base64-encoded nop sled detected (indicator-obfuscation.rules)
 * 1:24996 <-> DISABLED <-> SERVER-OTHER Free Software Foundation GnuTLS record application integer overflow attempt (server-other.rules)
 * 1:25121 <-> ENABLED <-> FILE-JAVA Oracle Java field bytecode verifier cache code execution attempt (file-java.rules)
 * 1:24737 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24333 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24332 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 1:24331 <-> DISABLED <-> SERVER-OTHER EMC AutoStart ftAgent.exe integer overflow attempt (server-other.rules)
 * 3:29944 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:29945 <-> ENABLED <-> FILE-IMAGE Microsoft Multiple Products potentially malicious PNG detected - large or invalid chunk size (file-image.rules)
 * 3:23608 <-> ENABLED <-> PROTOCOL-DNS dns zone transfer with zero-length rdata attempt (protocol-dns.rules)