Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-04-26

This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, browser-other, file-other, indicator-compromise, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-04-26 19:02:51 UTC

Snort Subscriber Rules Update

Date: 2016-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38604 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjii.us - JS_JITON (blacklist.rules)
 * 1:38612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wallex.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant network speed test (malware-cnc.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38605 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjj.info - JS_JITON (blacklist.rules)
 * 1:38603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UP007 variant outbound connection (malware-cnc.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38625 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38624 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38623 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection attempt (malware-cnc.rules)
 * 1:38608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RockLoader variant outbound connection (malware-cnc.rules)
 * 1:38609 <-> DISABLED <-> SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection attempt (server-webapp.rules)
 * 1:38611 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gils.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38626 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wallex variant outbound connection (malware-cnc.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while text expected (indicator-compromise.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38620 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)

Modified Rules:


 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)

2980

2016-04-26 19:02:51 UTC

Snort Subscriber Rules Update

Date: 2016-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while text expected (indicator-compromise.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wallex variant outbound connection (malware-cnc.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38611 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gils.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wallex.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38609 <-> DISABLED <-> SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection attempt (server-webapp.rules)
 * 1:38610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection attempt (malware-cnc.rules)
 * 1:38608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RockLoader variant outbound connection (malware-cnc.rules)
 * 1:38605 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjj.info - JS_JITON (blacklist.rules)
 * 1:38606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant network speed test (malware-cnc.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UP007 variant outbound connection (malware-cnc.rules)
 * 1:38604 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjii.us - JS_JITON (blacklist.rules)
 * 1:38626 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38624 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38625 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38623 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38620 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)

Modified Rules:


 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)

2982

2016-04-26 19:02:51 UTC

Snort Subscriber Rules Update

Date: 2016-04-26

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38626 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38625 <-> DISABLED <-> SERVER-WEBAPP Gemtek CPE7000 sysconf.cgi command injection attempt (server-webapp.rules)
 * 1:38624 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38623 <-> ENABLED <-> FILE-OTHER GDCM DICOM image integer overflow attempt (file-other.rules)
 * 1:38622 <-> DISABLED <-> SERVER-OTHER ISC BIND malformed control channel authentication message denial of service attempt (server-other.rules)
 * 1:38621 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38620 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex certificate exchange (malware-cnc.rules)
 * 1:38619 <-> DISABLED <-> INDICATOR-COMPROMISE binary download while text expected (indicator-compromise.rules)
 * 1:38618 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38617 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38616 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38615 <-> DISABLED <-> INDICATOR-OBFUSCATION newline only separator evasion (indicator-obfuscation.rules)
 * 1:38614 <-> DISABLED <-> INDICATOR-OBFUSCATION carriage return only separator evasion (indicator-obfuscation.rules)
 * 1:38613 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Wallex variant outbound connection (malware-cnc.rules)
 * 1:38612 <-> ENABLED <-> BLACKLIST DNS request for known malware domain wallex.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38611 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gils.ho.ua - Win.Trojan.Wallex (blacklist.rules)
 * 1:38610 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download (malware-cnc.rules)
 * 1:38609 <-> DISABLED <-> SERVER-WEBAPP pfSense status_rrd_graph_img.php command injection attempt (server-webapp.rules)
 * 1:38608 <-> ENABLED <-> MALWARE-CNC Win.Trojan.RockLoader variant outbound connection (malware-cnc.rules)
 * 1:38607 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant outbound connection attempt (malware-cnc.rules)
 * 1:38606 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Qakbot variant network speed test (malware-cnc.rules)
 * 1:38605 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjj.info - JS_JITON (blacklist.rules)
 * 1:38604 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tongjii.us - JS_JITON (blacklist.rules)
 * 1:38603 <-> ENABLED <-> MALWARE-CNC Win.Trojan.UP007 variant outbound connection (malware-cnc.rules)
 * 1:38602 <-> DISABLED <-> INDICATOR-OBFUSCATION mixed case HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38601 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP header format evasion attempt (indicator-obfuscation.rules)
 * 1:38600 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP response code evasion attempt (indicator-obfuscation.rules)
 * 1:38599 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid HTTP 100 response followed by 200 evasion attempt (indicator-obfuscation.rules)
 * 1:38598 <-> DISABLED <-> INDICATOR-OBFUSCATION invalid HTTP header evasion attempt (indicator-obfuscation.rules)
 * 1:38597 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)
 * 1:38596 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header null byte evasion attempt (indicator-obfuscation.rules)

Modified Rules:


 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:38332 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header dual colon evasion attempt (indicator-obfuscation.rules)
 * 1:38340 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP multiple encodings per line attempt (indicator-obfuscation.rules)
 * 1:38381 <-> DISABLED <-> BROWSER-OTHER HTTP characters prior to header evasion attempt (browser-other.rules)