Talos Rules 2016-04-19
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the exploit-kit, file-flash, file-office, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-04-19 14:24:34 UTC

Snort Subscriber Rules Update

Date: 2016-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules)
 * 1:38569 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38570 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38571 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:38574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant outbound connection (malware-cnc.rules)
 * 1:38573 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant handshake beacon (malware-cnc.rules)
 * 1:38572 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38568 <-> DISABLED <-> SERVER-OTHER Smart Software Solutions Codesys Gateway Server projectName heap buffer overflow attempt (server-other.rules)
 * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules)
 * 1:38552 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38553 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38554 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38555 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection attempt (malware-cnc.rules)
 * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules)
 * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules)
 * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules)
 * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules)
 * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules)
 * 1:38567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coverton variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:24729 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24730 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24731 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24732 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24733 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24734 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:24735 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24736 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:27708 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection (malware-cnc.rules)
 * 1:34930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt (malware-other.rules)
 * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38100 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38101 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules)
 * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules)

2016-04-19 14:24:34 UTC

Snort Subscriber Rules Update

Date: 2016-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:38574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant outbound connection (malware-cnc.rules)
 * 1:38573 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant handshake beacon (malware-cnc.rules)
 * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules)
 * 1:38569 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38570 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38571 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38572 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38552 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38553 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38554 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38555 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection attempt (malware-cnc.rules)
 * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules)
 * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules)
 * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules)
 * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules)
 * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules)
 * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules)
 * 1:38568 <-> DISABLED <-> SERVER-OTHER Smart Software Solutions Codesys Gateway Server projectName heap buffer overflow attempt (server-other.rules)
 * 1:38567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coverton variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:24729 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24730 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24731 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24732 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24733 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24734 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24735 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24736 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:27708 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection (malware-cnc.rules)
 * 1:34930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt (malware-other.rules)
 * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38100 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38101 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules)
 * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules)
 * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)

2016-04-19 14:24:34 UTC

Snort Subscriber Rules Update

Date: 2016-04-19

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38577 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38576 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38575 <-> DISABLED <-> SERVER-OTHER OpenSSL TLS change cipher spec protocol denial of service attempt (server-other.rules)
 * 1:38574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant outbound connection (malware-cnc.rules)
 * 1:38573 <-> ENABLED <-> MALWARE-CNC Win.Trojan.TreasureHunter variant handshake beacon (malware-cnc.rules)
 * 1:38572 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38571 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38570 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38569 <-> DISABLED <-> FILE-OTHER ABC file instruction field parsing exploitation attempt (file-other.rules)
 * 1:38568 <-> DISABLED <-> SERVER-OTHER Smart Software Solutions Codesys Gateway Server projectName heap buffer overflow attempt (server-other.rules)
 * 1:38567 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Coverton variant outbound connection (malware-cnc.rules)
 * 1:38566 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt (malware-cnc.rules)
 * 1:38565 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt (malware-cnc.rules)
 * 1:38564 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt (malware-cnc.rules)
 * 1:38563 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response (malware-cnc.rules)
 * 1:38562 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt (malware-cnc.rules)
 * 1:38561 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt (malware-cnc.rules)
 * 1:38560 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot (malware-cnc.rules)
 * 1:38559 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes (malware-cnc.rules)
 * 1:38558 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection (malware-cnc.rules)
 * 1:38557 <-> ENABLED <-> MALWARE-CNC Win.Trojan.GateKeylogger outbound connection attempt (malware-cnc.rules)
 * 1:38556 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38555 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38554 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38553 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)
 * 1:38552 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)

Modified Rules:


 * 1:24729 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24730 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24731 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24732 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24733 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24734 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24735 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:24736 <-> DISABLED <-> SERVER-WEBAPP Oracle GlassFish cross site scripting attempt (server-webapp.rules)
 * 1:27708 <-> DISABLED <-> MALWARE-CNC Win.Ransomware.Urausy outbound connection (malware-cnc.rules)
 * 1:34930 <-> DISABLED <-> MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt (malware-other.rules)
 * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:38100 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38101 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38256 <-> ENABLED <-> MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection attempt (malware-cnc.rules)
 * 1:38489 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38490 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word OleRegEnumVerbs object icon memory corruption attempt (file-office.rules)
 * 1:38495 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules)
 * 1:38496 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bound read exception attempt (file-office.rules)
 * 1:38522 <-> DISABLED <-> EXPLOIT-KIT Angler landing page detected (exploit-kit.rules)