CVE-2016-3081: A coding deficiency exists in Apache Struts that may lead to remote code execution.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 21072, 21656, and 23631.
Talos has added and modified multiple rules in the blacklist, browser-ie, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38668 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules) * 1:38674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Koohipa outbound beacon attempt (malware-cnc.rules) * 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules) * 1:38675 <-> DISABLED <-> SERVER-WEBAPP Sefrengo CMS main.php SQL injection attempt (server-webapp.rules) * 1:38669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules) * 1:38670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules) * 1:38673 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet directory traversal attempt (server-webapp.rules)
* 1:26409 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot (blacklist.rules) * 1:26402 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot (blacklist.rules) * 1:26407 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26405 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot (blacklist.rules) * 1:26406 <-> ENABLED <-> BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26404 <-> ENABLED <-> BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26399 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot (blacklist.rules) * 1:26400 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot (blacklist.rules) * 1:26556 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules) * 1:26403 <-> ENABLED <-> BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:21072 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules) * 1:26554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector (blacklist.rules) * 1:26408 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:21656 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules) * 1:38674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Koohipa outbound beacon attempt (malware-cnc.rules) * 1:38675 <-> DISABLED <-> SERVER-WEBAPP Sefrengo CMS main.php SQL injection attempt (server-webapp.rules) * 1:38670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules) * 1:38673 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet directory traversal attempt (server-webapp.rules) * 1:38669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules) * 1:38668 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
* 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:26402 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot (blacklist.rules) * 1:26556 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26399 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot (blacklist.rules) * 1:26400 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot (blacklist.rules) * 1:21072 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules) * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules) * 1:26404 <-> ENABLED <-> BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26403 <-> ENABLED <-> BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26409 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot (blacklist.rules) * 1:26405 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot (blacklist.rules) * 1:26406 <-> ENABLED <-> BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26408 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26407 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector (blacklist.rules) * 1:21656 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules) * 1:38675 <-> DISABLED <-> SERVER-WEBAPP Sefrengo CMS main.php SQL injection attempt (server-webapp.rules) * 1:38674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Koohipa outbound beacon attempt (malware-cnc.rules) * 1:38673 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet directory traversal attempt (server-webapp.rules) * 1:38670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules) * 1:38669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules) * 1:38668 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
* 1:26556 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector (blacklist.rules) * 1:26409 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot (blacklist.rules) * 1:26408 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26407 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26406 <-> ENABLED <-> BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26405 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot (blacklist.rules) * 1:26404 <-> ENABLED <-> BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26403 <-> ENABLED <-> BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot (blacklist.rules) * 1:26402 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot (blacklist.rules) * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules) * 1:26400 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot (blacklist.rules) * 1:21072 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules) * 1:26399 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot (blacklist.rules) * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules) * 1:21656 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)