Talos Rules 2016-03-31
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, exploit-kit, file-flash, indicator-obfuscation, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-03-31 13:53:15 UTC

Snort Subscriber Rules Update

Date: 2016-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38377 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38376 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules)
 * 1:38379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)
 * 1:38373 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38374 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38372 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38382 <-> DISABLED <-> BROWSER-OTHER ICY HTTP version evasion attempt (browser-other.rules)
 * 1:38371 <-> DISABLED <-> SERVER-WEBAPP Bharat Mediratta Gallery PHP file inclusion attempt (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules)
 * 1:38366 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jqtnohzbck5k.com - Bedep (blacklist.rules)
 * 1:38367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep.variant CNC server response (malware-cnc.rules)
 * 1:38365 <-> DISABLED <-> SERVER-OTHER TCPDUMP ISAKMP payload handling denial of service attempt (server-other.rules)
 * 1:38375 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)

Modified Rules:


 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header comma prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38033 <-> DISABLED <-> POLICY-OTHER SWF containing allowLoadBytesCodeExecution function download detected  (policy-other.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38024 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules)
 * 1:38025 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules)
 * 1:38021 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules)
 * 1:38023 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules)
 * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules)
 * 1:38020 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules)
 * 1:37605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:37604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple Content-Encoding headers evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)

2016-03-31 13:53:15 UTC

Snort Subscriber Rules Update

Date: 2016-03-31

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38382 <-> DISABLED <-> BROWSER-OTHER ICY HTTP version evasion attempt (browser-other.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)
 * 1:38380 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules)
 * 1:38379 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex file download attempt (malware-cnc.rules)
 * 1:38378 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38377 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38376 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38375 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38374 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38373 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38372 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Maktub variant download attempt (malware-other.rules)
 * 1:38371 <-> DISABLED <-> SERVER-WEBAPP Bharat Mediratta Gallery PHP file inclusion attempt (server-webapp.rules)
 * 1:38370 <-> DISABLED <-> SERVER-WEBAPP IPESOFT D2000 directory traversal attempt (server-webapp.rules)
 * 1:38369 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header whitespace evasion attempt (indicator-obfuscation.rules)
 * 1:38368 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP illegal chars after encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38367 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bedep.variant CNC server response (malware-cnc.rules)
 * 1:38366 <-> ENABLED <-> BLACKLIST DNS request for known malware domain jqtnohzbck5k.com - Bedep (blacklist.rules)
 * 1:38365 <-> DISABLED <-> SERVER-OTHER TCPDUMP ISAKMP payload handling denial of service attempt (server-other.rules)

Modified Rules:


 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38337 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header comma prior to encoding type evasion attempt (indicator-obfuscation.rules)
 * 1:38025 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules)
 * 1:38033 <-> DISABLED <-> POLICY-OTHER SWF containing allowLoadBytesCodeExecution function download detected  (policy-other.rules)
 * 1:38023 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules)
 * 1:38024 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules)
 * 1:38020 <-> DISABLED <-> FILE-FLASH CreateFileA shellcode found in flash file (file-flash.rules)
 * 1:38021 <-> DISABLED <-> FILE-FLASH SWF with large DefineBinaryData tag (file-flash.rules)
 * 1:37728 <-> DISABLED <-> INDICATOR-OBFUSCATION SWF with large DefineBinaryData tag (indicator-obfuscation.rules)
 * 1:37605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:37604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:33906 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:38341 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple Content-Encoding headers evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)