Talos Rules 2016-04-08
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, malware-other and policy-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-04-08 21:15:56 UTC

Snort Subscriber Rules Update

Date: 2016-04-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38446 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38447 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38449 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38448 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38445 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:38454 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38453 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38452 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38450 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38451 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38435 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38436 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38437 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:38438 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit questions uri request attempt (exploit-kit.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:38441 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38442 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38443 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38444 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38456 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:38457 <-> DISABLED <-> POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt (policy-other.rules)

Modified Rules:


 * 1:10202 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules)
 * 1:10208 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules)
 * 1:12307 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules)
 * 1:12317 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules)
 * 1:12326 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules)
 * 1:12332 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt (netbios.rules)
 * 1:12335 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules)
 * 1:12341 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules)
 * 1:12347 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules)
 * 1:17634 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt (netbios.rules)
 * 1:17707 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules)
 * 1:17714 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:17715 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:37014 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)

2016-04-08 21:15:56 UTC

Snort Subscriber Rules Update

Date: 2016-04-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:38454 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38453 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38452 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38450 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38446 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38447 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38448 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38449 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38435 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38436 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38437 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:38438 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit questions uri request attempt (exploit-kit.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:38441 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38442 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38443 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38444 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38445 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38456 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:38451 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38457 <-> DISABLED <-> POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt (policy-other.rules)

Modified Rules:


 * 1:10202 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules)
 * 1:10208 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules)
 * 1:12307 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules)
 * 1:12317 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules)
 * 1:12326 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules)
 * 1:12332 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt (netbios.rules)
 * 1:12335 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules)
 * 1:12341 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules)
 * 1:12347 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules)
 * 1:17634 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt (netbios.rules)
 * 1:17707 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules)
 * 1:17714 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:17715 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:37014 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)

2016-04-08 21:15:56 UTC

Snort Subscriber Rules Update

Date: 2016-04-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38457 <-> DISABLED <-> POLICY-OTHER Suspicious typo squatting DNS query to .om TLD attempt (policy-other.rules)
 * 1:38456 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:38455 <-> ENABLED <-> FILE-FLASH Adobe Flash Player toString type confusion memory corruption attempt (file-flash.rules)
 * 1:38454 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38453 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38452 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38451 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38450 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38449 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38448 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38447 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38446 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38445 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38444 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38443 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38442 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38441 <-> ENABLED <-> MALWARE-OTHER Win.Trojan.Petya variant download attempt (malware-other.rules)
 * 1:38440 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:38439 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit news uri structure (exploit-kit.rules)
 * 1:38438 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit questions uri request attempt (exploit-kit.rules)
 * 1:38437 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit outbound uri structure (exploit-kit.rules)
 * 1:38436 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules)
 * 1:38435 <-> DISABLED <-> BROWSER-PLUGINS Schneider F1 Bookview ActiveX clsid access attempt (browser-plugins.rules)

Modified Rules:


 * 1:10202 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt (netbios.rules)
 * 1:10208 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt (netbios.rules)
 * 1:12307 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt (netbios.rules)
 * 1:12317 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt (netbios.rules)
 * 1:12326 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt (netbios.rules)
 * 1:12332 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt (netbios.rules)
 * 1:12335 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt (netbios.rules)
 * 1:12341 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt (netbios.rules)
 * 1:12347 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt (netbios.rules)
 * 1:17634 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt (netbios.rules)
 * 1:17707 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt (netbios.rules)
 * 1:17714 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:17715 <-> DISABLED <-> NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt (netbios.rules)
 * 1:32362 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:32363 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VML use after free attempt (browser-ie.rules)
 * 1:37014 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)