Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-04-21

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the app-detect and malware-cnc rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-04-21 23:30:27 UTC

Snort Subscriber Rules Update

Date: 2016-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules)
 * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules)
 * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules)
 * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules)
 * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules)
 * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)
 * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules)

Modified Rules:


 * 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules)
 * 1:25229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant inbound connection (malware-cnc.rules)
 * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules)
 * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:25230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant outbound connection (malware-cnc.rules)
 * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)

2980

2016-04-21 23:30:27 UTC

Snort Subscriber Rules Update

Date: 2016-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules)
 * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules)
 * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules)
 * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules)
 * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules)
 * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules)
 * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules)
 * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:25229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant inbound connection (malware-cnc.rules)
 * 1:25230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant outbound connection (malware-cnc.rules)
 * 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules)
 * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)

2982

2016-04-21 23:30:27 UTC

Snort Subscriber Rules Update

Date: 2016-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38595 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP version evasion attempt (indicator-obfuscation.rules)
 * 1:38594 <-> DISABLED <-> APP-DETECT Bloomberg web crawler outbound connection (app-detect.rules)
 * 1:38593 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38592 <-> ENABLED <-> EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt (exploit-kit.rules)
 * 1:38589 <-> DISABLED <-> EXPLOIT-KIT vbscript downloading executable attempt (exploit-kit.rules)
 * 1:38588 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38587 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt (malware-cnc.rules)
 * 1:38586 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38585 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection attempt (malware-cnc.rules)
 * 1:38584 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection (malware-cnc.rules)
 * 1:38582 <-> DISABLED <-> EXPLOIT-KIT Nuclear exploit kit landing page detected (exploit-kit.rules)
 * 1:38581 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38580 <-> ENABLED <-> FILE-OFFICE RFT document malformed header (file-office.rules)
 * 1:38579 <-> DISABLED <-> SERVER-WEBAPP Atvise denial of service attempt (server-webapp.rules)
 * 3:38590 <-> ENABLED <-> SERVER-OTHER Cisco Wireless LAN Controller mDNS denial of service attempt (server-other.rules)
 * 3:38591 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller management interface denial of service attempt (server-webapp.rules)

Modified Rules:


 * 1:24642 <-> DISABLED <-> SERVER-WEBAPP RedHat JBoss Enterprise Application Platform JMX code execution attempt (server-webapp.rules)
 * 1:17904 <-> ENABLED <-> BLACKLIST URI request for known malicious URI - /tongji.js (blacklist.rules)
 * 1:25100 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:25229 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant inbound connection (malware-cnc.rules)
 * 1:36506 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Njrat variant outbound connection (malware-cnc.rules)
 * 1:25230 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Darkkomet variant outbound connection (malware-cnc.rules)
 * 3:36558 <-> ENABLED <-> SERVER-OTHER Cisco ASA DHCPv6 relay solicit denial of service attempt (server-other.rules)