Talos Rules 2016-04-05
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-other, browser-plugins, browser-webkit, file-flash, file-office, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-04-05 18:42:43 UTC

Snort Subscriber Rules Update

Date: 2016-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38393 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules)
 * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules)
 * 1:38392 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules)
 * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules)
 * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:25124 <-> DISABLED <-> BROWSER-OTHER suspicious named empty form detected (browser-other.rules)
 * 1:28165 <-> DISABLED <-> PROTOCOL-VOIP attempted DOS detected (protocol-voip.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:26658 <-> DISABLED <-> BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source (browser-webkit.rules)
 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)

2016-04-05 18:42:43 UTC

Snort Subscriber Rules Update

Date: 2016-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38393 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules)
 * 1:38392 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules)
 * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules)
 * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules)
 * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:25124 <-> DISABLED <-> BROWSER-OTHER suspicious named empty form detected (browser-other.rules)
 * 1:26658 <-> DISABLED <-> BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source (browser-webkit.rules)
 * 1:28165 <-> DISABLED <-> PROTOCOL-VOIP attempted DOS detected (protocol-voip.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)

2016-04-05 18:42:43 UTC

Snort Subscriber Rules Update

Date: 2016-04-05

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38388 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check (malware-cnc.rules)
 * 1:38390 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38389 <-> DISABLED <-> SERVER-WEBAPP HID door command injection attempt (server-webapp.rules)
 * 1:38385 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38383 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38384 <-> DISABLED <-> BROWSER-PLUGINS Advantech WebAccess ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38386 <-> ENABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38391 <-> DISABLED <-> SERVER-OTHER HP JetDirect PJL path traversal attempt (server-other.rules)
 * 1:38393 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules)
 * 1:38387 <-> DISABLED <-> MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection (malware-cnc.rules)
 * 1:38392 <-> DISABLED <-> SERVER-WEBAPP Apache Jetspeed Portal Site Manager directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:25124 <-> DISABLED <-> BROWSER-OTHER suspicious named empty form detected (browser-other.rules)
 * 1:36752 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:28165 <-> DISABLED <-> PROTOCOL-VOIP attempted DOS detected (protocol-voip.rules)
 * 1:36751 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel MdCallBack out of bounds read attempt (file-office.rules)
 * 1:26658 <-> DISABLED <-> BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source (browser-webkit.rules)
 * 1:38227 <-> DISABLED <-> FILE-FLASH Adobe Flash Player mp4 size memory corruption attempt (file-flash.rules)